Home

Description

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-11 | Updated 2026-06-11 | Assigner vmware




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

5.0.0 (custom) before 5.0.2
affected

4.1.0 (custom) before 4.1.4
affected

4.0.0 (custom) before 4.0.19
affected

3.1.0 (custom) before 3.1.9
affected

References

spring.io/security/cve-2026-40999

cve.org (CVE-2026-40999)

nvd.nist.gov (CVE-2026-40999)

Download JSON