Description
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts).

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Published: 2026-06-11
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

X509AuthenticationProvider can generate a fully authenticated X509AuthenticationToken for any certificate that maps to a UserDetails object while skipping the standard Spring Security account lifecycle checks. This flaw is an authentication bypass (CWE-287) and permits an attacker to authenticate as a disabled, locked, expired, or credentials‑expired account, enabling unauthorized access to protected application resources.

Affected Systems

The vulnerability impacts multiple releases of Spring Web Services: 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. These versions are commonly used to provide security for applications that rely on Spring Web Services.

Risk and Exploitability

The CVSS score of 5.4 classifies the flaw as moderate in severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported. The attack vector is inferred: an attacker must obtain a certificate that the application maps to a UserDetails instance and must have network access to a service performing X509 authentication. While the flaw does not provide arbitrary code execution or domain‑wide privilege escalation, bypassing the account checks can expose sensitive APIs or data to an account that should have been blocked.

Generated by OpenCVE AI on June 11, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Web Services to the latest release that contains the fix for CVE‑2026‑40995
  • Configure the application to enforce standard account lifecycle checks (disabled, locked, expired, credentials‑expired) before accepting an X509AuthenticationToken, or disable X509 authentication if it is not required
  • Monitor authentication logs for unexpected authentication events and consider implementing intrusion detection mechanisms tailored to X509 authentication

Generated by OpenCVE AI on June 11, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40995 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title X.509 authentication bypasses Spring Security account checks
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:01.695Z

Reserved: 2026-04-16T02:19:12.969Z

Link: CVE-2026-40995

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:27.430

Modified: 2026-06-11T07:16:27.430

Link: CVE-2026-40995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T08:00:15Z

Weaknesses