How is CVE-2026-41003 exploited?

Network reachability (required): The attacker must reach the Spring Security application over the network to submit or influence RelyingPartyRegistration values. Authentication (required): A low-privilege account is sufficient; the attacker must be authenticated to influence the relevant registration values. Victim interaction (required): A victim must interact with (for example, load or submit) the HTML form generated by Spring Security for the injected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond the attacker's ability to influence registration values.

What is the impact of CVE-2026-41003?

Reads the victim's active session tokens and any sensitive data exposed in the browser session context. Injects and executes arbitrary JavaScript in the victim's browser under the application's origin. Allows limited modification of page content visible to the victim, such as altering form fields or displayed data.

Back to search

HIGHCVE-2026-41003Published 2026-06-09Modified 2026-06-10CNA vmware

CVE-2026-41003: Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: 5.7.24
Affected Products: 1

HarborGuard Analysis

Synopsis

A stored cross-site scripting (XSS) vulnerability exists in Spring Security's HTML form rendering, specifically in how values from RelyingPartyRegistration are written into generated HTML without proper encoding. An attacker who can influence those registration values, over the network with a low-privilege account, can inject malicious scripts that execute in a victim's browser when they interact with the affected form. Successful exploitation reads sensitive data from the victim's session (including session tokens) and allows limited tampering with page content. Patched-image rebuilds at versions 5.7.24, 5.8.26, 6.3.17, 6.4.17, and 6.5.11 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41003 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle an affected Spring Security version, not just upstream base images.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.6 HIGH (CVSS v3.1) and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Patched-image rebuilds at Spring Security versions 5.7.24, 5.8.26, 6.3.17, 6.4.17, and 6.5.11 become available on HarborGuard the moment the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Spring Security application over the network to submit or influence RelyingPartyRegistration values.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must be authenticated to influence the relevant registration values.
Victim interactionRequired
A victim must interact with (for example, load or submit) the HTML form generated by Spring Security for the injected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond the attacker's ability to influence registration values.

Blast Radius

Reads the victim's active session tokens and any sensitive data exposed in the browser session context.
Injects and executes arbitrary JavaScript in the victim's browser under the application's origin.
Allows limited modification of page content visible to the victim, such as altering form fields or displayed data.

How HarborGuard Handles This

Available on HarborGuard: detection is active for all images containing an affected Spring Security version (5.7.0-5.7.23, 5.8.0-5.8.25, 6.3.0-6.3.16, 6.4.0-6.4.16, 6.5.0-6.5.10, or 7.0.0-7.0.5), matched within minutes of CVE publication. Where compliance policy permits, HarborGuard can rebuild affected images at the fixed versions (5.7.24, 5.8.26, 6.3.17, 6.4.17, or 6.5.11 as appropriate for the installed branch); for customers with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers not yet on auto-remediation should prioritize updating Spring Security to the relevant fix version and, as a compensating control, restrict which principals can modify RelyingPartyRegistration values until the patched image is deployed.

See how HarborGuard automates this

Fix available

5.7.245.8.266.3.176.4.176.5.117.0.6

Affected packages

Spring / Spring Security
< 5.7.24 (from 5.7.0) · < 5.8.26 (from 5.8.0) · < 6.3.17 (from 6.3.0) · < 6.4.17 (from 6.4.0) · < 6.5.11 (from 6.5.0) · < 7.0.6 (from 7.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available