X.509 authentication bypasses Spring Security account checks_CVE-2026-40995

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts).

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Basic Information

ID CVE-2026-40995

Source vmware

Published Jun 11, 2026 at 05:04

Affected Product

Vendor Spring

Product Spring Web Services

Version 5.0.0

Affected Versions Spring Spring Web Services 5.0.0
Spring Spring Web Services 4.1.0
Spring Spring Web Services 4.0.0
Spring Spring Web Services 3.1.0

CWE Classification

CWE-287

References

spring.io /security/cve-2026-40995

{
    "lastseen": "",
    "description": "X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts).\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.",
    "published": "2026-06-11T05:04:01.695Z",
    "modified": "2026-06-11T05:04:01.695Z",
    "type": "cve",
    "title": "X.509 authentication bypasses Spring Security account checks",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40995",
    "id": "CVE-2026-40995",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Web Services 5.0.0\nSpring Spring Web Services 4.1.0\nSpring Spring Web Services 4.0.0\nSpring Spring Web Services 3.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Web Services",
    "version": "5.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}