CVE-2026-40995
Description
X509AuthenticationProvider in Spring Web Services issues an authenticated token without checking if the user account is disabled, locked, or expired, allowing authentication bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
X509AuthenticationProvider in Spring Web Services issues an authenticated token without checking if the user account is disabled, locked, or expired, allowing authentication bypass.
Vulnerability
In Spring Web Services, the X509AuthenticationProvider bypasses Spring Security's standard account lifecycle checks (disabled, locked, expired, credentials-expired) when a presented X.509 certificate maps to a UserDetails object. This behavior applies to users resolved from an X509AuthoritiesPopulator and to cached entries. Affected versions: Spring Web Services 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. The vulnerability is reachable when certificate-based authentication is wired through Spring WS X.509 integration with Spring Security and user records that should not authenticate (e.g., disabled, locked, expired) are present.
Exploitation
An attacker needs a valid X.509 client certificate that maps to a UserDetails object in the target application. No additional authentication is required. During mutual TLS or certificate-based SOAP authentication, the attacker presents the certificate. The X509AuthenticationProvider issues a fully authenticated X509AuthenticationToken without performing the standard account status checks, even if the mapped user account is disabled, locked, expired, or has expired credentials.
Impact
Successful exploitation allows an attacker with a certificate mapped to an otherwise restricted user account to authenticate and gain access to the application. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates low confidentiality and integrity impact; the attacker can read and modify data available to that account, despite the account’s disabled or locked state. The attacker assumes the privilege level of the mapped user.
Mitigation
Fixed versions are available: 5.0.2 (Open Source), 5.0.1.1 (Enterprise Support), 4.1.4 (Open Source), 4.1.3.1 (Enterprise Support), 4.0.19 (Enterprise Support), and 3.1.9 (Enterprise Support) [1]. Users of affected versions should upgrade to the corresponding fixed version. No further mitigation steps are necessary according to the advisory. Unsupported versions remain vulnerable.
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=3.1.0, <=5.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.