Home

Description

Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-11 | Updated 2026-06-11 | Assigner vmware




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-209: Generation of Error Message Containing Sensitive Information

Product status

Default status
unaffected

5.0.0 (custom) before 5.0.2
affected

4.1.0 (custom) before 4.1.4
affected

4.0.0 (custom) before 4.0.19
affected

3.1.0 (custom) before 3.1.9
affected

References

spring.io/security/cve-2026-40997

cve.org (CVE-2026-40997)

nvd.nist.gov (CVE-2026-40997)

Download JSON