CVE Catalog

CVE-2026-40994

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile - higher than 14% of all known CVEs

Summary

Wss4jSecurityInterceptor incorrectly initializes its BSP compliance flag, leading to the disabling of BSP enforcement for RequestData. Services validating WS-Security on the network may accept messages that violate BSP rules.

Risk Assessment

This weakening of protocol-level checks may allow unauthorized or malicious messages to be accepted, increasing the risk of attacks on network services.

Recommendation

It is recommended to upgrade to the latest version of Spring Web Services to restore proper BSP enforcement and secure services against potential threats.

Original NVD description (English source)

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS