HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40994Published Modified CNA vmware

CVE-2026-40994: Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
3.1.9
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication-bypass-class misconfiguration exists in Spring Web Services (Wss4jSecurityInterceptor) across multiple release lines. The interceptor incorrectly initializes its BSP (WS-I Basic Security Profile) compliance flag, causing inbound WS-Security validation to skip BSP rule enforcement. Reachable over the network without any credentials, a remote attacker can send non-compliant WS-Security messages that the service incorrectly accepts, enabling unauthorized data tampering and partial information disclosure. Patched-image rebuilds at versions 3.1.9, 4.0.19, 4.1.4, and 5.0.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-40994 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring Web Services. Coverage applies to images in connected registries and active CI/CD pipelines.

Available
Triage

Triage is available with the CVSS v3.1 score of 8.2 (HIGH) applied automatically, weighted against each customer environment's compliance policy to surface urgency accurately. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Patched-image rebuilds at Spring Web Services versions 3.1.9, 4.0.19, 4.1.4, and 5.0.2 are available on HarborGuard for each affected release line. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the CVSS vector specifies PR:N (no privileges required).

  • Victim interactionNot required

    The attacker does not need any action from a user or operator; the CVSS vector specifies UI:N.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the CVSS vector specifies AC:L, meaning no race conditions or special environmental factors need to align.

Blast Radius

  • A successful attacker can send WS-Security messages that violate BSP rules and have them accepted, bypassing protocol-level integrity checks on inbound SOAP traffic.
  • Integrity of processed messages is fully compromised (CVSS I:H); the attacker can manipulate message content, headers, or security tokens that the service then acts upon as legitimate.
  • Confidentiality is partially exposed (CVSS C:L); crafted non-compliant messages may allow the attacker to extract information surfaced in service responses or error handling.
  • Availability is not directly affected by this vulnerability; the service continues running but processes attacker-controlled content.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image found to include an affected Spring Web Services version across any of the four impacted release lines (3.1.x, 4.0.x, 4.1.x, 5.0.x). Where compliance policy permits, HarborGuard can rebuild the image at the appropriate fixed version (3.1.9, 4.0.19, 4.1.4, or 5.0.2 depending on the branch in use). For customers who opt into auto-remediation, the full flow is available: patched rebuild, regression-test run, and a pull request opened against affected workloads. For HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is deployed, consider applying network policy to restrict which callers can reach WS-Security endpoints, and auditing service logs for WS-Security processing errors that may indicate non-compliant message attempts.

See how HarborGuard automates this

Fix available

3.1.94.0.194.1.45.0.2
Affected packages
  • Spring / Spring Web Services
    < 5.0.2 (from 5.0.0) · < 4.1.4 (from 4.1.0) · < 4.0.19 (from 4.0.0) · < 3.1.9 (from 3.1.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References