CVE Catalog

CVE-2026-41694

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

Spring Security SAML decrypts SAML Responses and elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, allowing attackers to use the Service Provider as a decryption oracle.

Risk Assessment

Attackers can decrypt sensitive data transmitted via SAML protocol, leading to confidentiality breaches and potential session hijacking.

Recommendation

Immediately update Spring Security to version 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6, depending on the branch in use.

Original NVD description (English source)

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS