VYPR
← All advisories
High severity8.2NVD Advisory· Published Jun 11, 2026

CVE-2026-40994

CVE-2026-40994

Description

Wss4jSecurityInterceptor disables WS-I BSP validation by default, allowing inbound messages to bypass protocol-level security checks in affected Spring Web Services versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Wss4jSecurityInterceptor disables WS-I BSP validation by default, allowing inbound messages to bypass protocol-level security checks in affected Spring Web Services versions.

Vulnerability

Wss4jSecurityInterceptor in Spring Web Services versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8 initializes its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disables WSS4J BSP enforcement on RequestData, contradicting the intended secure default and published setter contract [1]. Services that validate WS-Security on the network can therefore accept messages that violate BSP rules around signatures and related constructs, weakening protocol-level checks that are meant to constrain interoperable, safe use of WS-Security [1].

Exploitation

An attacker with network access to a service using Wss4jSecurityInterceptor (or equivalent wiring) for inbound validation, without explicitly enabling BSP compliance by calling the setBspCompliant setter method with true as argument, can send WS-Security messages that violate BSP rules [1]. No authentication or special privileges are required, as the flaw is in the default initialization logic, which applies to all unauthenticated inbound requests [1].

Impact

Successful exploitation allows an attacker to bypass WS-I Basic Security Profile compliance checks, potentially weakening protocol-level security constraints. This leads to a high integrity impact (CVSS integrity score 6.0) as messages with malformed or missing signatures may be accepted, and a low confidentiality impact (CVSS confidentiality score 1.6) [1]. The overall CVSS v3.1 base score is 8.2 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N [1].

Mitigation

Users of affected versions should upgrade to the fixed versions: 5.0.2 or 5.0.1.1 (Enterprise Support only) for 5.0.x, 4.1.4 or 4.1.3.1 (Enterprise Support only) for 4.1.x, 4.0.19 (Enterprise Support only) for 4.0.x, and 3.1.9 (Enterprise Support only) for 3.1.x [1]. If upgrading is not possible, BSP compliance can be enabled explicitly by calling the setBspCompliant setter method with true as argument [1]. Versions that are no longer supported are also affected [1].

References
  1. CVE-2026-40994: Wss4jSecurityInterceptor disables WS-I BSP validation by default

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.