How is CVE-2026-40988 exploited?

Network reachability (required): The SAML REDIRECT binding endpoint must be reachable over the network; an attacker sends the malicious payload directly to the exposed login or logout URL. Authentication (not-required): No account or session is needed; the vulnerable endpoint processes unauthenticated SAML redirect requests by design. Victim interaction (not-required): No user action is required; the attacker submits the crafted request directly to the service. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions, race conditions, or environmental dependencies.

What is the impact of CVE-2026-40988?

The affected service runs out of memory while inflating the oversized DEFLATE payload, crashing the process or making it unresponsive. All users of the application lose access to authenticated sessions and the login or logout flow until the service is restarted. Repeated requests can prevent recovery and keep the service in a continuous denial-of-service state without any persistence on the host.

Back to search

HIGHCVE-2026-40988Published 2026-06-09Modified 2026-06-10CNA vmware

CVE-2026-40988: Unbounded DEFLATE Inflation in SAML 2.0 Service Provider

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 5.7.24
Affected Products: 1

HarborGuard Analysis

Synopsis

An unbounded DEFLATE decompression vulnerability affects the SAML 2.0 Service Provider component in Spring Security (spring-security-saml2-service-provider). The flaw is reachable over the network with no authentication required, triggered by sending a specially crafted compressed SAML payload via the REDIRECT binding during Login or Logout flows. Successful exploitation exhausts process memory, causing a denial of service. Patched-image rebuilds at versions 5.7.24, 5.8.26, 6.3.17, 6.4.17, and 6.5.11 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle spring-security-saml2-service-provider. Any image whose dependency manifest includes an affected Spring Security version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine routing priority. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Patched-image rebuilds at the fixed versions (5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11) are available on HarborGuard for any image found to carry an affected release. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The SAML REDIRECT binding endpoint must be reachable over the network; an attacker sends the malicious payload directly to the exposed login or logout URL.
AuthenticationNot required
No account or session is needed; the vulnerable endpoint processes unauthenticated SAML redirect requests by design.
Victim interactionNot required
No user action is required; the attacker submits the crafted request directly to the service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions, race conditions, or environmental dependencies.

Blast Radius

The affected service runs out of memory while inflating the oversized DEFLATE payload, crashing the process or making it unresponsive.
All users of the application lose access to authenticated sessions and the login or logout flow until the service is restarted.
Repeated requests can prevent recovery and keep the service in a continuous denial-of-service state without any persistence on the host.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image carrying a vulnerable Spring Security release in the affected ranges. Where compliance policy permits, HarborGuard can rebuild images against the fixed versions (5.7.24, 5.8.26, 6.3.17, 6.4.17, or 6.5.11 depending on the branch in use). For customers who opt into auto-remediation, the platform runs a regression test and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. For environments where an immediate rebuild is not yet possible, recommended compensating controls include placing a network policy or WAF rule in front of the SAML redirect endpoint to restrict inbound request size, applying egress filtering to reduce attack surface, and temporarily gating the SAML REDIRECT binding via feature-flag configuration until the patched dependency is deployed.

See how HarborGuard automates this

Fix available

5.7.245.8.266.3.176.4.176.5.117.0.6

Affected packages

Spring / Spring Security
< 5.7.24 (from 5.7.0) · < 5.8.26 (from 5.8.0) · < 6.3.17 (from 6.3.0) · < 6.4.17 (from 6.4.0) · < 6.5.11 (from 6.5.0) · < 7.0.6 (from 7.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available