HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40998Published Modified CNA vmware

CVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
3.1.9
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

XML External Entity (XXE) injection in Spring Web Services allows a remote, unauthenticated attacker to exploit the Jaxp13XPathTemplate class when it processes StreamSource or SAXSource inputs. The vulnerable code path parses attacker-controlled XML using the JDK's default DocumentBuilderFactory instead of Spring's hardened parser configuration, exposing external entity resolution over the network. Successful exploitation reads files and internal resources accessible to the application process, and allows limited data tampering via side-channel writes. Patched-image rebuilds at versions 3.1.9, 4.0.19, 4.1.4, and 5.0.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-40998 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. Coverage extends to custom-built images that bundle any affected Spring Web Services release across all four vulnerable version ranges.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.2 HIGH and weighting the finding against each customer environment's compliance policy to surface it at the appropriate severity threshold. Triage routing is available to direct findings to the correct team inbox within each organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at the applicable fix version (3.1.9, 4.0.19, 4.1.4, or 5.0.2, depending on the branch in use) becomes available in HarborGuard once the affected image is identified. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the vulnerable Spring Web Services endpoint over the network to submit a crafted XML payload.

  • AuthenticationNot required

    No credentials or account are needed; the vulnerable endpoint can be reached anonymously.

  • Victim interactionNot required

    Exploitation is fully server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or special environmental factors are required to trigger external entity resolution.

Blast Radius

  • A successful attacker reads arbitrary files on the server filesystem that the application process has permission to open, including configuration files, credentials, and private keys.
  • The attacker can trigger outbound HTTP or DNS requests from the server to internal network resources, effectively using the application as a proxy to probe internal infrastructure.
  • CVSS integrity impact is rated Low, meaning the attacker can induce limited out-of-band data writes or server-side request forgery interactions, but cannot directly overwrite application data.
  • Availability is not impacted; the service remains running and there is no crash or denial-of-service primitive exposed by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection against all four affected Spring Web Services version ranges is active across customer image registries and build pipelines, with findings scored at CVSS 8.2 HIGH and routed per each organization's compliance policy. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to the correct fix version (3.1.9, 4.0.19, 4.1.4, or 5.0.2 depending on the branch), a regression test run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with remediation guidance so engineers can apply the upstream fix manually. As an interim compensating control while a rebuild is staged, consider applying network egress filtering to prevent the application process from making outbound HTTP and DNS connections to unexpected destinations, which limits the usefulness of any successful XXE probe.

See how HarborGuard automates this

Fix available

3.1.94.0.194.1.45.0.2
Affected packages
  • Spring / Spring Web Services
    < 5.0.2 (from 5.0.0) · < 4.1.4 (from 4.1.0) · < 4.0.19 (from 4.0.0) · < 3.1.9 (from 3.1.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
References