How is CVE-2026-40993 exploited?

Network reachability (info): The attacker must be on an adjacent network, such as a shared LAN or VPN segment, to reach the database or application interface exposing the vulnerable table. Authentication (required): An admin-level or otherwise highly privileged database account is needed to write to the saml2_asserting_party_metadata table managed by JdbcAssertingPartyMetadataRepository. Victim interaction (not-required): No user action is required; the malicious payload executes when the application deserializes the stored credential columns without prompting any end user. Attack complexity (info): Exploitation involves non-trivial preconditions, specifically obtaining high-privilege database write access and crafting a valid serialized payload, making reliable exploitation environmentally dependent.

What is the impact of CVE-2026-40993?

Attacker overwrites verification_credentials or encryption_credentials columns with crafted payloads, corrupting trust relationships for SAML 2.0 asserting parties. Integrity of the SAML metadata repository is compromised, allowing the attacker to substitute malicious signing or encryption keys used in federated authentication flows. Service availability is disrupted when the application attempts to deserialize the malicious payload, triggering uncaught exceptions or crashes in the SAML processing pipeline. Depending on the deserialization gadget chain present on the classpath, arbitrary code execution on the application host is a realistic outcome of successful payload delivery.

Back to search

HIGHCVE-2026-40993Published 2026-06-09Modified 2026-06-10CNA vmware

CVE-2026-40993: Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: 7.0.6
Affected Products: 1

HarborGuard Analysis

Synopsis

Unfiltered Java native deserialization in Spring Security's SAML 2.0 asserting-party metadata repository allows an attacker with database write access to plant malicious serialized payloads in the saml2_asserting_party_metadata table. The vulnerability is reachable from an adjacent network, requires a high-privilege account, and involves high attack complexity due to the preconditions needed. Successful exploitation gives the attacker the ability to tamper with integrity-sensitive data and disrupt service availability. A patched-image rebuild at Spring Security 7.0.6 is available on HarborGuard for environments running an affected version (7.0.0 through 7.0.5).

HarborGuard Coverage

Detection

Detection of CVE-2026-40993 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Spring Security. Coverage extends to both direct and transitive inclusions of the affected library in container layers.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.3 (HIGH) and weighting it against each environment's compliance policy to reflect organizational risk tolerance. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at Spring Security 7.0.6 becomes available on HarborGuard as soon as the fix version is resolvable from upstream package feeds. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network, such as a shared LAN or VPN segment, to reach the database or application interface exposing the vulnerable table.
AuthenticationRequired
An admin-level or otherwise highly privileged database account is needed to write to the saml2_asserting_party_metadata table managed by JdbcAssertingPartyMetadataRepository.
Victim interactionNot required
No user action is required; the malicious payload executes when the application deserializes the stored credential columns without prompting any end user.
Attack complexityDetail
Exploitation involves non-trivial preconditions, specifically obtaining high-privilege database write access and crafting a valid serialized payload, making reliable exploitation environmentally dependent.

Blast Radius

Attacker overwrites verification_credentials or encryption_credentials columns with crafted payloads, corrupting trust relationships for SAML 2.0 asserting parties.
Integrity of the SAML metadata repository is compromised, allowing the attacker to substitute malicious signing or encryption keys used in federated authentication flows.
Service availability is disrupted when the application attempts to deserialize the malicious payload, triggering uncaught exceptions or crashes in the SAML processing pipeline.
Depending on the deserialization gadget chain present on the classpath, arbitrary code execution on the application host is a realistic outcome of successful payload delivery.

How HarborGuard Handles This

Available on HarborGuard: detection and remediation capabilities for CVE-2026-40993 are provided across customer environments scanning images that include Spring Security 7.0.0 through 7.0.5. A patched-image rebuild pinned to Spring Security 7.0.6 is available as soon as the upstream fix resolves in package feeds. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the affected image, executing the configured regression test suite, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with CVSS scoring and ownership routing so teams can act manually. As a compensating control until the patch is applied, customers can restrict database-level write permissions to the saml2_asserting_party_metadata table to only tightly scoped service accounts, and apply network-policy isolation to limit which workloads can reach the database from adjacent network segments.

See how HarborGuard automates this

Fix available

7.0.6

Affected packages

Spring / Spring Security
< 7.0.6 (from 7.0.0)

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available