CVE-2026-40988

Vulnerability

An application using spring-security-saml2-service-provider with the REDIRECT binding for SAML 2.0 Login or Logout is vulnerable to a denial of service. This vulnerability arises from an unbounded writer that inflates a compressed SAML payload into memory. Affected versions include Spring Security 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted, compressed SAML message that, when decompressed, consumes excessive memory. This attack does not require authentication or network access beyond the ability to send a SAML request to the vulnerable service provider. The attacker needs to trigger the SAML 2.0 Login or Logout process with a malicious payload [1].

Impact

Successful exploitation of this vulnerability can lead to a denial of service (DoS) condition. The unbounded inflation of the SAML payload can exhaust system resources, causing the application to become unresponsive or crash. This impacts the availability of the application for all users [1].

Mitigation

This vulnerability has been fixed in subsequent releases of Spring Security. Users should update to a patched version. Specific fixed versions are detailed in the advisory [1]. No workarounds are mentioned in the available references. The advisory does not indicate if the vulnerability is listed on the Known Exploited Vulnerabilities (KEV) catalog or if the affected versions are end-of-life (EOL) [1].