Description
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Published: 2026-06-11
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wss4jSecurityInterceptor fails to wire Apache WSS4J ReplayCache in certain request paths, so UsernameToken nonces, timestamps, Timestamp elements, and SAML one‑time‑use tokens lose their intended replay protection. An attacker who can replay a previously intercepted message can perform a replay attack that may lift authentication checks or replay privileged operations, thereby compromising integrity and authentication. This weakness falls under CWE-294.

Affected Systems

Spring Web Services 3.1.0 to 3.1.8, 4.0.0 to 4.0.18, 4.1.0 to 4.1.3, and 5.0.0 to 5.0.1 are affected. These are part of the Spring Framework used to build web‑service applications that rely on the Wss4jSecurityInterceptor for security.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity; the EPSS score is not available and the vulnerability is not in the CISA KEV catalog, suggesting limited exploitation data. The likely attack vector is remote, via SOAP or REST endpoints that use the interceptor. Exploitation requires sending a replayed message with a valid UsernameToken or SAML token; if the ReplayCache is not wired, the server will accept the duplicate, giving the attacker the ability to repeat a privileged operation. Because it depends on specific interceptor wiring, successful exploitation may require configuration knowledge, reducing the overall risk.

Generated by OpenCVE AI on June 11, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Web Services to a fixed release such as 5.0.2 or later, or apply the vendor-provided patch for the ReplayCache wiring.
  • Verify that the Wss4jSecurityInterceptor configuration in the application context includes a properly instantiated ReplayCache bean and that the interceptor references it in request data.
  • As a temporary measure, restrict or disable the use of UsernameToken and SAML tokens in message exchanges until the patch is applied.

Generated by OpenCVE AI on June 11, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41000 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Title WSS4J validation does not use configured replay cache
Weaknesses CWE-294
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:24.413Z

Reserved: 2026-04-16T02:19:12.970Z

Link: CVE-2026-41000

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:28.037

Modified: 2026-06-11T07:16:28.037

Link: CVE-2026-41000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses