Description
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).

Affected versions:
Spring Security 7.0.0 through 7.0.5.
Published: 2026-06-09
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Security allows unfiltered Java deserialization of SAML 2.0 asserting party credentials stored in a database table. If an attacker writes malicious serialized objects into the columns containing verification or encryption credentials, those objects can be later deserialized by the application, resulting in execution of arbitrary code. The weakness is classified as CWE‑502, reflecting insecure deserialization.

Affected Systems

The issue affects Spring Security 7.0.0 through 7.0.5, specifically the JdbcAssertingPartyMetadataRepository component that manages the saml2_asserting_party_metadata table. Users deploying these versions of Spring Security are potentially at risk when the database allows write access to that table.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity for this vulnerability. The EPSS score is not available, and the vulnerability is not currently listed in CISA KEV. Exploitation requires the attacker to have write permissions to the saml2_asserting_party_metadata table, a condition that could arise from misconfiguration or an insider with database access. If write privileges are granted, the attacker can implant a malicious payload that will be deserialized later during SAML processing, providing a path to remote code execution.

Generated by OpenCVE AI on June 10, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Spring Security 7.0.6 or newer patch that fixes the deserialization issue.
  • Restrict write access to the saml2_asserting_party_metadata table to prevent unauthorized credential injection.
  • Audit existing entries in the table and replace any suspicious credential blobs with validated, known‑good ones.

Generated by OpenCVE AI on June 10, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40993 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
Title Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:46:39.702Z

Reserved: 2026-04-16T02:19:09.389Z

Link: CVE-2026-40993

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:50.197

Modified: 2026-06-10T00:16:50.197

Link: CVE-2026-40993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses