CVE Catalog

CVE-2026-40999

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile - higher than 30% of all known CVEs

Summary

A vulnerability in Spring WS allows outbound connections to unverified addresses when non-anonymous ReplyTo or FaultTo addresses are used. This may lead to unauthorized access to external resources.

Risk Assessment

Organizations may be exposed to SSRF (Server-Side Request Forgery) attacks, potentially resulting in data leakage or access to internal systems.

Recommendation

It is recommended to upgrade to the latest version of Spring WS and implement additional address verification mechanisms in request headers.

Original NVD description (English source)

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS