Home

Description

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-11 | Updated 2026-06-11 | Assigner vmware




MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Product status

Default status
unaffected

5.0.0 (custom) before 5.0.2
affected

4.1.0 (custom) before 4.1.4
affected

4.0.0 (custom) before 4.0.19
affected

3.1.0 (custom) before 3.1.9
affected

References

spring.io/security/cve-2026-40996

cve.org (CVE-2026-40996)

nvd.nist.gov (CVE-2026-40996)

Download JSON