CVE-2026-41694
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
Spring Security SAML decrypts SAML Responses and elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, allowing attackers to use the Service Provider as a decryption oracle.
Risk Assessment
Attackers can decrypt sensitive data transmitted via SAML protocol, leading to confidentiality breaches and potential session hijacking.
Recommendation
Immediately update Spring Security to version 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6, depending on the branch in use.
Original NVD description (English source)
Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

