Description
Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Published: 2026-06-11
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Wss4jSecurityInterceptor incorrectly initializes its BSP compliance flag, disabling WSS4J Basic Security Profile enforcement on inbound requests. Because of this, services that rely on WS‑Security and expect strict BSP validation may accept messages that violate protocol rules, weakening security controls. This gap can allow attackers to craft messages that bypass validation, potentially leading to unauthorized actions or data compromise. The weakness is classified as CWE‑1188.

Affected Systems

Spring Web Services (Spring:Spring Web Services) is affected. Affected versions include 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; and 3.1.0 through 3.1.8.

Risk and Exploitability

The CVSS score is 8.2, indicating a high severity. The EPSS score is not available, making it unclear how often the vulnerability is actively exploited, but the problem can be mitigated if a patch is applied. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can exploit the disabled BSP validation by sending crafted SOAP messages that violate protocol rules, potentially to gain a foothold or perform unauthorized operations.

Generated by OpenCVE AI on June 11, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Spring Web Services version that contains a fix for the BSP validation issue.
  • If an upgrade cannot be performed immediately, enable explicit BSP validation on inbound requests through configuration or by adding a custom interceptor.
  • Review and strengthen any custom WS‑Security validation logic to enforce protocol rules manually.

Generated by OpenCVE AI on June 11, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40994 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title Wss4jSecurityInterceptor disables WS-I BSP validation by default
Weaknesses CWE-1188
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:03:57.827Z

Reserved: 2026-04-16T02:19:12.969Z

Link: CVE-2026-40994

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:27.297

Modified: 2026-06-11T07:16:27.297

Link: CVE-2026-40994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses