Description
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.

Affected versions:
Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in applications that use the spring-security-saml2-service-provider component with the REDIRECT binding for SAML 2.0 Login or Logout. A crafted compressed SAML payload can be inflated into memory without bounds, exhausting server resources and causing the application to become unresponsive. This is a classic denial of service flaw classified as CWE-400 and does not provide the attacker with direct data exfiltration or code execution capabilities.

Affected Systems

Products affected are Spring Security versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5. Only the spring-security-saml2-service-provider module within the Spring Framework is affected; no other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score is not available and KEV has not listed this vulnerability. The likely attack vector is remote, via an attacker-specified SAML assertion transmitted over HTTP to the application’s SAML endpoint. An attacker can trigger the inflation by sending a specially compressed payload, leading to excessive memory consumption and service disruption. The lack of an EPSS rating does not diminish the risk, as memory exhaustion attacks can be simple to construct and do not require special privileges.

Generated by OpenCVE AI on June 10, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Security to the latest release that contains the DEFLATE inflation fix (versions 5.7.24+, 5.8.26+, 6.3.17+, 6.4.17+, 6.5.11+, 7.0.6+).
  • Configure the application to enforce a strict maximum size for SAML requests received via the REDIRECT binding, rejecting any payload that exceeds a safe threshold.
  • If a patch is not immediately available, restrict access to the SAML endpoints to trusted IP ranges or require authentication prior to processing SAML assertions.

Generated by OpenCVE AI on June 10, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40988 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Title Unbounded DEFLATE Inflation in SAML 2.0 Service Provider
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:46:15.589Z

Reserved: 2026-04-16T02:19:09.389Z

Link: CVE-2026-40988

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:49.527

Modified: 2026-06-10T00:16:49.527

Link: CVE-2026-40988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses