CVE-2026-40994 PUBLISHED

Wss4jSecurityInterceptor disables WS-I BSP validation by default

Assigner: vmware
Reserved: 16.04.2026 Published: 11.06.2026 Updated: 11.06.2026

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Web Services
Versions	Default: unaffected affected from 5.0.0 to 5.0.2 (excl.) affected from 4.1.0 to 4.1.4 (excl.) affected from 4.0.0 to 4.0.19 (excl.) affected from 3.1.0 to 3.1.9 (excl.)

References

https://spring.io/security/cve-2026-40994

Problem Types

CWE-1188: Initialization of a Resource with an Insecure Default CWE

Impacts

Services using Wss4jSecurityInterceptor for inbound WS-Security validation can accept messages that violate BSP rules around signatures because BSP enforcement is disabled by default.