CVE-2026-40998

Vulnerability

Jaxp13XPathTemplate in Spring Web Services evaluates XPath expressions for StreamSource and SAXSource inputs using a code path that parses attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. This exposes applications to XML External Entity (XXE) style attacks. Affected versions are Spring Web Services 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8 [1].

Exploitation

An attacker needs to supply an XML payload (via StreamSource or SAXSource) that contains malicious external entities to a vulnerable XPath evaluation endpoint. The attack requires no authentication or user interaction; the application must evaluate XPath expressions over data that is controlled or influenced by remote users, either directly or through message paths, without an additional hardening layer [1]. The attacker crafts a malicious XML document that defines external entities pointing to local files or internal network resources, then triggers XPath evaluation, causing the parser to resolve those entities.

Impact

Successful exploitation leads to XML External Entity (XXE) attacks, which can result in confidential file disclosure (e.g., reading /etc/passwd) or server-side request forgery (SSRF) through the resolution of external entities. The impact depends on the parser and platform behavior, but generally includes high confidentiality impact and low integrity impact, with no direct impact on availability according to the CVSS vector [1].

Mitigation

Users of affected versions should upgrade to a fixed version: 5.0.x to 5.0.2 (OSS), 4.1.x to 4.1.4 (OSS), 4.0.x to 4.0.19 (Enterprise Support Only), 3.1.x to 3.1.9 (Enterprise Support Only). For 5.0.1 and 4.1.3, Enterprise support versions 5.0.1.1 and 4.1.3.1 are also available. No further mitigation steps are necessary after upgrading [1].