Unbounded DEFLATE Inflation in SAML 2.0 Service Provider_CVE-2026-40988

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.

Affected versions:
Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Basic Information

ID CVE-2026-40988

Source vmware

Published Jun 9, 2026 at 23:46

Affected Product

Vendor Spring

Product Spring Security

Version 5.7.0

Affected Versions Spring Spring Security 5.7.0
Spring Spring Security 5.8.0
Spring Spring Security 6.3.0
Spring Spring Security 6.4.0
Spring Spring Security 6.5.0
Spring Spring Security 7.0.0

CWE Classification

CWE-400

References

spring.io /security/cve-2026-40988

{
    "lastseen": "",
    "description": "An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.",
    "published": "2026-06-09T23:46:15.589Z",
    "modified": "2026-06-09T23:46:15.589Z",
    "type": "cve",
    "title": "Unbounded DEFLATE Inflation in SAML 2.0 Service Provider",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40988",
    "id": "CVE-2026-40988",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Security 5.7.0\nSpring Spring Security 5.8.0\nSpring Spring Security 6.3.0\nSpring Spring Security 6.4.0\nSpring Spring Security 6.5.0\nSpring Spring Security 7.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Security",
    "version": "5.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}