CVE-2026-40999
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
A vulnerability in Spring WS allows outbound connections to unverified addresses when non-anonymous ReplyTo or FaultTo addresses are used. This may lead to unauthorized access to external resources.
Risk Assessment
Organizations may be exposed to SSRF (Server-Side Request Forgery) attacks, potentially resulting in data leakage or access to internal systems.
Recommendation
It is recommended to upgrade to the latest version of Spring WS and implement additional address verification mechanisms in request headers.
Original NVD description (English source)
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

