{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-40999: Spring WS SSRF via unvalidated WS-Addressing reply destinations","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-40999","status":"final","version":"1","initial_release_date":"2026-06-11T05:04:17.009Z","current_release_date":"2026-06-11T16:13:51.035Z","revision_history":[{"date":"2026-06-11T05:04:17.009Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-40999 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-40999"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-40999"},{"category":"external","summary":"spring.io","url":"https://spring.io/security/cve-2026-40999"}]},"product_tree":{"branches":[{"category":"vendor","name":"Spring","branches":[{"category":"product_name","name":"Spring Web Services","branches":[{"category":"product_version_range","name":">=5.0.0 <5.0.2","product":{"name":"Spring Spring Web Services >=5.0.0 <5.0.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=4.1.0 <4.1.4","product":{"name":"Spring Spring Web Services >=4.1.0 <4.1.4","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=4.0.0 <4.0.19","product":{"name":"Spring Spring Web Services >=4.0.0 <4.0.19","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=3.1.0 <3.1.9","product":{"name":"Spring Spring Web Services >=3.1.0 <3.1.9","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-40999","title":"Spring WS SSRF via unvalidated WS-Addressing reply destinations","notes":[{"category":"description","text":"When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 3.1.9, 4.0.19, 4.1.4, 5.0.2.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}