CVE 8.6 HIGH

Spring WS SSRF via unvalidated WS-Addressing reply destinations_CVE-2026-40999

June 11, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

AI Analysis

Spring WS may initiate outbound connections to unverified destinations when WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, allowing for potential SSRF attacks.

Basic Information

ID CVE-2026-40999

Source vmware

Published Jun 11, 2026 at 05:04

Affected Product

Vendor Spring

Product Spring Web Services

Version 5.0.0

Affected Versions Spring Spring Web Services 5.0.0
Spring Spring Web Services 4.1.0
Spring Spring Web Services 4.0.0
Spring Spring Web Services 3.1.0

CWE Classification

CWE-918

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Spring

Product Spring Web Services

Version 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, 5.0.0-5.0.1

References

spring.io /security/cve-2026-40999

{
    "lastseen": "",
    "description": "When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.",
    "published": "2026-06-11T05:04:17.009Z",
    "modified": "2026-06-11T05:04:17.009Z",
    "type": "cve",
    "title": "Spring WS SSRF via unvalidated WS-Addressing reply destinations",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40999",
    "id": "CVE-2026-40999",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Web Services 5.0.0\nSpring Spring Web Services 4.1.0\nSpring Spring Web Services 4.0.0\nSpring Spring Web Services 3.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Web Services",
    "version": "5.0.0",
    "vendor": "Spring",
    "ai_description": "Spring WS may initiate outbound connections to unverified destinations when WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, allowing for potential SSRF attacks.",
    "ai_severity": "High",
    "ai_vendor": "Spring",
    "ai_product": "Spring Web Services",
    "ai_version": "3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, 5.0.0-5.0.1",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply