Description
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Published: 2026-06-11
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wss4jSecurityInterceptor fails to wire Apache WSS4J ReplayCache in certain request paths, so UsernameToken nonces, timestamps, Timestamp elements, and SAML one‑time‑use tokens lose their intended replay protection. An attacker who can replay a previously intercepted message can perform a replay attack that may lift authentication checks or replay privileged operations, thereby compromising integrity and authentication. This weakness falls under CWE-294.

Affected Systems

Spring Web Services 3.1.0 to 3.1.8, 4.0.0 to 4.0.18, 4.1.0 to 4.1.3, and 5.0.0 to 5.0.1 are affected. These are part of the Spring Framework used to build web‑service applications that rely on the Wss4jSecurityInterceptor for security.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity; the EPSS score is not available and the vulnerability is not in the CISA KEV catalog, suggesting limited exploitation data. The likely attack vector is remote, via SOAP or REST endpoints that use the interceptor. Exploitation requires sending a replayed message with a valid UsernameToken or SAML token; if the ReplayCache is not wired, the server will accept the duplicate, giving the attacker the ability to repeat a privileged operation. Because it depends on specific interceptor wiring, successful exploitation may require configuration knowledge, reducing the overall risk.

Generated by OpenCVE AI on June 11, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Web Services to a fixed release such as 5.0.2 or later, or apply the vendor-provided patch for the ReplayCache wiring.
  • Verify that the Wss4jSecurityInterceptor configuration in the application context includes a properly instantiated ReplayCache bean and that the interceptor references it in request data.
  • As a temporary measure, restrict or disable the use of UsernameToken and SAML tokens in message exchanges until the patch is applied.

Generated by OpenCVE AI on June 11, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Web Services
Vendors & Products Spring
Spring spring Web Services

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title WSS4J validation does not use configured replay cache
Weaknesses CWE-294
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Spring Spring Web Services
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-23T19:53:11.880Z

Reserved: 2026-04-16T02:19:12.970Z

Link: CVE-2026-41000

cve-icon Vulnrichment

Updated: 2026-06-11T15:13:18.609Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T07:16:28.037

Modified: 2026-06-11T15:21:30.653

Link: CVE-2026-41000

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-11T05:04:24Z

Links: CVE-2026-41000 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:14Z

Weaknesses
  • CWE-294

    Authentication Bypass by Capture-replay