Description
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.

Affected versions:
Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who controls or can trick the documentation generation process into processing malicious XML to inject external entities. When the documentation tests for a remote API are run, these entities can resolve to local files or external resources, potentially leaking sensitive content. The flaw is a classic XML External Entity (XXE) injection, classified as CWE‑611, and can lead to confidentiality compromises. Based on the description, it is inferred that the attack can expose sensitive internal files or network resources through crafted XML.

Affected Systems

Spring REST Docs for the module spring-restdocs-webtestclient and spring-restdocs-restassured is affected. The issue exists in Spring REST Docs versions 2.0.0.RELEASE through 2.0.8.RELEASE, 3.0.0 through 3.0.5, and 4.0.0. Systems using these versions that document remote APIs over HTTP are susceptible.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no currently known widespread exploitation. The attack requires the attacker to either compromise the remote API or coerce a user into having the documentation tests run against a malicious API. It is primarily an environment‑based threat that can be invoked when the documentation generator processes untrusted XML. The likely attack vector is inferred as the execution of documentation tests against an attacker‑controlled or maliciously crafted API.

Generated by OpenCVE AI on June 10, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring REST Docs to the latest available release that removes the XXE flaw.
  • Remove spring-restdocs-webtestclient and spring-restdocs-restassured from production environments that may expose XML to untrusted sources.
  • Validate or sanitize XML before feeding it into the documentation generator, ensuring external entities are disabled.

Generated by OpenCVE AI on June 10, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40991 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
Title XML External Entity (XXE) injection when documenting untrusted XML content
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:46:33.676Z

Reserved: 2026-04-16T02:19:09.389Z

Link: CVE-2026-40991

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:50.087

Modified: 2026-06-10T00:16:50.087

Link: CVE-2026-40991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses