CVE-2026-40991

Vulnerability

Spring REST Docs versions 4.0.0, 3.0.0 through 3.0.5, and 2.0.0.RELEASE through 2.0.8.RELEASE are affected by an XML External Entity (XXE) injection vulnerability. This occurs when using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, and the documentation-generating tests are subsequently executed against untrusted XML content [1].

Exploitation

An attacker can exploit this vulnerability by compromising the API or tricking a user into documenting a malicious API. The XXE injection occurs when the documentation-generating tests are next executed, requiring the user to run these tests against the compromised or malicious API endpoint [1].

Impact

Successful exploitation of this XXE vulnerability can lead to information disclosure or denial of service. The exact impact depends on the XML parser's configuration and capabilities, but it allows an attacker to potentially read sensitive files or trigger network requests from the context of the documentation generation process [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: 4.0.1 (for 4.0.x), 3.0.6 (for 3.0.x), and 2.0.9.RELEASE (for 2.0.x) [1]. Versions that are no longer supported are also affected. No further mitigation steps are necessary beyond upgrading to the specified fix versions [1].