The vulnerability permits an attacker to decrypt SAML Responses, LogoutRequest, and LogoutResponse messages even when the payloads are not signed, a weakness classified as CWE-347 (Improper Restriction on Use of Cryptography). This flaw can lead to disclosure of authentication tokens or other sensitive data contained in the encrypted SAML assertions, thereby undermining the integrity of the Service Provider’s authentication flow. While the flaw does not enable direct code execution or privilege escalation, the confidential information revealed could be used to compromise user sessions.

Spring Security library, versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5, are affected.

The CVSS score of 3.7 indicates a medium severity, and EPSS is unavailable; the vulnerability is not listed in CISA KEV. Attackers would typically send crafted unsigned SAML payloads to SAML endpoints handled by Spring Security. Based on the description, the likely attack vector is over the network to the SAML assertion consumer or logout endpoint, using the Service Provider as a decryption oracle to learn the contents of encrypted messages that would otherwise remain confidential. No authentication bypass or code execution is directly tied to the flaw; the primary risk is data disclosure within the scope of reachable SAML messages.