Description
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Published: 2026-06-11
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in several Spring Web Services integration paths with Spring Security can expose detailed account state, such as locked or disabled status, to remote SOAP clients via exception messages or callback results instead of generic authentication errors. This behavior, identified as CWE-209, allows an attacker to confirm whether a particular username exists and infer its lifecycle state, enabling targeted social engineering or credential-based attacks.

Affected Systems

Spring Web Services versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 are impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3 and has no available EPSS score or KEV listing. Exploitation requires a remote SOAP client to trigger authentication logic that surfaces detailed faults, which is plausible for any reachable SOAP endpoint. The attack vector is inferred to be remote over SOAP, and the risk is moderate due to the lack of a zero‑day exploit but a clear pathway for account enumeration and potential escalation.

Generated by OpenCVE AI on June 11, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Web Services to 5.0.2 or newer, or to the latest patch released by the vendor.
  • If an upgrade is not immediately possible, configure the application to disable detailed fault messages and enforce generic authentication error responses. This can be achieved by setting the appropriate Spring Security configuration to suppress exception details in SOAP responses.
  • Review and secure all SOAP service endpoints to limit exposure, ensuring only authenticated and authorized users can access them, and monitor for suspicious authentication attempts.

Generated by OpenCVE AI on June 11, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40997 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title SOAP security faults leak Spring Security account state
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:08.960Z

Reserved: 2026-04-16T02:19:12.969Z

Link: CVE-2026-40997

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:27.663

Modified: 2026-06-11T07:16:27.663

Link: CVE-2026-40997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses