CVE-2026-40997
Description
Spring Web Services surfaces detailed account state to SOAP clients, enabling remote user enumeration via authentication fault messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Web Services surfaces detailed account state to SOAP clients, enabling remote user enumeration via authentication fault messages.
Vulnerability
CVE-2026-40997 affects Spring Web Services (Spring WS) when integrated with Spring Security. Several integration paths, specifically those using callback handlers or helpers for username-token, digest, or X.509 validation, could propagate account status exceptions (e.g., locked or disabled user semantics) to the SOAP layer as detailed exception messages or callback outcomes, rather than failing with a generic BadCredentialsException. This allows remote SOAP clients to distinguish valid accounts from invalid ones and infer lifecycle state. Affected versions include Spring WS 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; and 3.1.0 through 3.1.8. [1]
Exploitation
An unauthenticated remote attacker can send crafted SOAP authentication requests (e.g., username-token, digest, or X.509) to an affected endpoint. If a valid account exists, the attacker may receive a fault message or callback response that reveals whether the account is locked, disabled, or has other lifecycle state, instead of a consistent generic authentication failure. The attacker does not need any prior credentials or network position beyond the ability to reach the SOAP service. [1]
Impact
Successful exploitation allows an attacker to enumerate valid user accounts and determine their lifecycle state (e.g., locked, disabled). This is classified as information disclosure (user enumeration) at the security layer, with moderate impact on confidentiality (CVSS v3 base score: 5.3, vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The attacker gains no write or execution access, but the leaked information can assist in targeted attacks, such as credential stuffing or social engineering. [1]
Mitigation
Users of affected versions should upgrade to the corresponding fixed versions as specified in the advisory: 5.0.2 (OSS) or 5.0.1.1 (Enterprise Support); 4.1.4 (OSS) or 4.1.3.1 (Enterprise Support); 4.0.19 (Enterprise Support only); and 3.1.9 (Enterprise Support only). Versions that are no longer supported are also affected. No further mitigation steps are necessary. [1]
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=5.0.0 <=5.0.1, >=4.1.0 <=4.1.3, >=4.0.0 <=4.0.18, >=3.1.0 <=3.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.