CVE-2026-41000

Vulnerability

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. This affects Spring Web Services versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. [1]

Exploitation

An attacker with network access to a service that accepts SOAP messages and expects replay detection can re-submit a captured SOAP message with still-valid UsernameToken nonces, Timestamp elements, or SAML one-time-use constructs within the acceptance window. [1]

Impact

Successful exploitation allows replay of authentication tokens, potentially bypassing authentication or enabling unauthorized operations. The CVSS v3 base score is 3.7 (Low), indicating limited impact on integrity. [1]

Mitigation

Upgrade to fixed versions: for 5.0.x upgrade to 5.0.2; for 4.1.x upgrade to 4.1.4; for 4.0.x upgrade to 4.0.19; for 3.1.x upgrade to 3.1.9. If upgrading is not possible, extend Wss4jSecurityInterceptor and override initializeValidationRequestData(MessageContext messageContext) to set NonceReplayCache, TimestampReplayCache, and SamlOneTimeUseReplayCache on the RequestData object. [1]