CVE-2026-40997 PUBLISHED

SOAP security faults leak Spring Security account state

Assigner: vmware
Reserved: 16.04.2026 Published: 11.06.2026 Updated: 11.06.2026

Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Web Services
Versions	Default: unaffected affected from 5.0.0 to 5.0.2 (excl.) affected from 4.1.0 to 4.1.4 (excl.) affected from 4.0.0 to 4.0.19 (excl.) affected from 3.1.0 to 3.1.9 (excl.)

References

https://spring.io/security/cve-2026-40997

Problem Types

CWE-209: Generation of Error Message Containing Sensitive Information CWE

Impacts

Remote SOAP clients can enumerate valid accounts and infer account lifecycle state (locked, disabled) through detailed exception messages surfaced by Spring WS integration paths with Spring Security.