CVE-2026-40997
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
Several Spring WS integration paths with Spring Security could expose detailed account state information, such as locked or disabled user accounts, through exception messages or callback outcomes. This behavior assists remote attackers in distinguishing valid accounts from invalid ones.
Risk Assessment
The disclosure of detailed account state information may lead to an increased risk of attacks, as attackers can more easily identify accounts that can be targeted.
Recommendation
It is recommended to upgrade to the latest version of Spring Web Services to mitigate the risk associated with the disclosure of account state information.
Original NVD description (English source)
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

