Vulnerability-Lookup

WID-SEC-W-2026-1869

Vulnerability from csaf_certbund - Published: 2026-06-09 22:00 - Updated: 2026-06-09 22:00

Summary

VMware Tanzu Spring Security: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Spring Security ist ein Framework, das Authentifizierung, Autorisierung und Schutz vor gängigen Angriffen bietet.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in VMware Tanzu Spring Security ausnutzen, um einen Denial of Service zu verursachen, beliebigen Code auszuführen, Benutzer auf beliebige Websites umzuleiten, Informationen offenzulegen und die Identität eines anderen Benutzers anzunehmen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2026-40988

Affected products

Known affected 6 products

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <5.8.26 VMware Tanzu / Spring Security		<5.8.26
VMware Tanzu Spring Security <5.7.24 VMware Tanzu / Spring Security		<5.7.24
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6
VMware Tanzu Spring Security <6.3.17 VMware Tanzu / Spring Security		<6.3.17
VMware Tanzu Spring Security <6.4.17 VMware Tanzu / Spring Security		<6.4.17
VMware Tanzu Spring Security <6.5.11 VMware Tanzu / Spring Security		<6.5.11

CVE-2026-40993

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6

CVE-2026-41003

Affected products

Known affected 6 products

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <5.8.26 VMware Tanzu / Spring Security		<5.8.26
VMware Tanzu Spring Security <5.7.24 VMware Tanzu / Spring Security		<5.7.24
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6
VMware Tanzu Spring Security <6.3.17 VMware Tanzu / Spring Security		<6.3.17
VMware Tanzu Spring Security <6.4.17 VMware Tanzu / Spring Security		<6.4.17
VMware Tanzu Spring Security <6.5.11 VMware Tanzu / Spring Security		<6.5.11

CVE-2026-41008

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6

CVE-2026-41694

Affected products

Known affected 6 products

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <5.8.26 VMware Tanzu / Spring Security		<5.8.26
VMware Tanzu Spring Security <5.7.24 VMware Tanzu / Spring Security		<5.7.24
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6
VMware Tanzu Spring Security <6.3.17 VMware Tanzu / Spring Security		<6.3.17
VMware Tanzu Spring Security <6.4.17 VMware Tanzu / Spring Security		<6.4.17
VMware Tanzu Spring Security <6.5.11 VMware Tanzu / Spring Security		<6.5.11

CVE-2026-41706

Affected products

Known affected 6 products

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <5.8.26 VMware Tanzu / Spring Security		<5.8.26
VMware Tanzu Spring Security <5.7.24 VMware Tanzu / Spring Security		<5.7.24
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6
VMware Tanzu Spring Security <6.3.17 VMware Tanzu / Spring Security		<6.3.17
VMware Tanzu Spring Security <6.4.17 VMware Tanzu / Spring Security		<6.4.17
VMware Tanzu Spring Security <6.5.11 VMware Tanzu / Spring Security		<6.5.11

CVE-2026-47838

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
VMware Tanzu Spring Security <5.8.26 VMware Tanzu / Spring Security		<5.8.26
VMware Tanzu Spring Security <5.7.24 VMware Tanzu / Spring Security		<5.7.24
VMware Tanzu Spring Security <6.4.18 VMware Tanzu / Spring Security		<6.4.18
VMware Tanzu Spring Security <6.3.18 VMware Tanzu / Spring Security		<6.3.18
VMware Tanzu Spring Security <5.8.27 VMware Tanzu / Spring Security		<5.8.27
VMware Tanzu Spring Security <7.0.6 VMware Tanzu / Spring Security		<7.0.6
VMware Tanzu Spring Security <6.3.17 VMware Tanzu / Spring Security		<6.3.17
VMware Tanzu Spring Security <6.4.17 VMware Tanzu / Spring Security		<6.4.17
VMware Tanzu Spring Security <6.5.11 VMware Tanzu / Spring Security		<6.5.11

References

9 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://spring.io/security/cve-2026-40988	external
https://spring.io/security/cve-2026-40993	external
https://spring.io/security/cve-2026-41003	external
https://spring.io/security/cve-2026-41008	external
https://spring.io/security/cve-2026-41694	external
https://spring.io/security/cve-2026-41706	external
https://spring.io/security/cve-2026-47838	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Spring Security ist ein Framework, das Authentifizierung, Autorisierung und Schutz vor g\u00e4ngigen Angriffen bietet.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in VMware Tanzu Spring Security ausnutzen, um einen Denial of Service zu verursachen, beliebigen Code auszuf\u00fchren, Benutzer auf beliebige Websites umzuleiten, Informationen offenzulegen und die Identit\u00e4t eines anderen Benutzers anzunehmen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1869 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1869.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1869 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1869"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-40988"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-40993"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-41003"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-41008"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-41694"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-41706"
      },
      {
        "category": "external",
        "summary": "Spring Security Advisories vom 2026-06-09",
        "url": "https://spring.io/security/cve-2026-47838"
      }
    ],
    "source_lang": "en-US",
    "title": "VMware Tanzu Spring Security: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-09T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-10T09:35:57.231+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1869",
      "initial_release_date": "2026-06-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.7.24",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c5.7.24",
                  "product_id": "T055188"
                }
              },
              {
                "category": "product_version",
                "name": "5.7.24",
                "product": {
                  "name": "VMware Tanzu Spring Security 5.7.24",
                  "product_id": "T055188-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:5.7.24"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.8.26",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c5.8.26",
                  "product_id": "T055189"
                }
              },
              {
                "category": "product_version",
                "name": "5.8.26",
                "product": {
                  "name": "VMware Tanzu Spring Security 5.8.26",
                  "product_id": "T055189-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:5.8.26"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.5.11",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c6.5.11",
                  "product_id": "T055190"
                }
              },
              {
                "category": "product_version",
                "name": "6.5.11",
                "product": {
                  "name": "VMware Tanzu Spring Security 6.5.11",
                  "product_id": "T055190-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:6.5.11"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.4.17",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c6.4.17",
                  "product_id": "T055191"
                }
              },
              {
                "category": "product_version",
                "name": "6.4.17",
                "product": {
                  "name": "VMware Tanzu Spring Security 6.4.17",
                  "product_id": "T055191-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:6.4.17"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.3.17",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c6.3.17",
                  "product_id": "T055192"
                }
              },
              {
                "category": "product_version",
                "name": "6.3.17",
                "product": {
                  "name": "VMware Tanzu Spring Security 6.3.17",
                  "product_id": "T055192-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:6.3.17"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.0.6",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c7.0.6",
                  "product_id": "T055193"
                }
              },
              {
                "category": "product_version",
                "name": "7.0.6",
                "product": {
                  "name": "VMware Tanzu Spring Security 7.0.6",
                  "product_id": "T055193-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:7.0.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.7.25",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c5.7.25",
                  "product_id": "T055194"
                }
              },
              {
                "category": "product_version",
                "name": "5.7.25",
                "product": {
                  "name": "VMware Tanzu Spring Security 5.7.25",
                  "product_id": "T055194-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:5.7.25"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.8.27",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c5.8.27",
                  "product_id": "T055195"
                }
              },
              {
                "category": "product_version",
                "name": "5.8.27",
                "product": {
                  "name": "VMware Tanzu Spring Security 5.8.27",
                  "product_id": "T055195-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:5.8.27"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.3.18",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c6.3.18",
                  "product_id": "T055196"
                }
              },
              {
                "category": "product_version",
                "name": "6.3.18",
                "product": {
                  "name": "VMware Tanzu Spring Security 6.3.18",
                  "product_id": "T055196-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:6.3.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.4.18",
                "product": {
                  "name": "VMware Tanzu Spring Security \u003c6.4.18",
                  "product_id": "T055197"
                }
              },
              {
                "category": "product_version",
                "name": "6.4.18",
                "product": {
                  "name": "VMware Tanzu Spring Security 6.4.18",
                  "product_id": "T055197-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vmware_tanzu:spring_security:6.4.18"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Spring Security"
          }
        ],
        "category": "vendor",
        "name": "VMware Tanzu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40988",
      "product_status": {
        "known_affected": [
          "T055189",
          "T055188",
          "T055193",
          "T055192",
          "T055191",
          "T055190"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-40988"
    },
    {
      "cve": "CVE-2026-40993",
      "product_status": {
        "known_affected": [
          "T055193"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-40993"
    },
    {
      "cve": "CVE-2026-41003",
      "product_status": {
        "known_affected": [
          "T055189",
          "T055188",
          "T055193",
          "T055192",
          "T055191",
          "T055190"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-41003"
    },
    {
      "cve": "CVE-2026-41008",
      "product_status": {
        "known_affected": [
          "T055193"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-41008"
    },
    {
      "cve": "CVE-2026-41694",
      "product_status": {
        "known_affected": [
          "T055189",
          "T055188",
          "T055193",
          "T055192",
          "T055191",
          "T055190"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-41694"
    },
    {
      "cve": "CVE-2026-41706",
      "product_status": {
        "known_affected": [
          "T055189",
          "T055188",
          "T055193",
          "T055192",
          "T055191",
          "T055190"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-41706"
    },
    {
      "cve": "CVE-2026-47838",
      "product_status": {
        "known_affected": [
          "T055189",
          "T055188",
          "T055197",
          "T055196",
          "T055195",
          "T055193",
          "T055192",
          "T055191",
          "T055190"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-47838"
    }
  ]
}

CVE-2026-40988 (GCVE-0-2026-40988)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:46 – Updated: 2026-06-10 18:08

Title

Unbounded DEFLATE Inflation in SAML 2.0 Service Provider

Summary

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-40988

Impacted products

1 product

Vendor	Product	Version
Spring	Spring Security	Affected: 5.7.0 , < 5.7.24 (custom) Affected: 5.8.0 , < 5.8.26 (custom) Affected: 6.3.0 , < 6.3.17 (custom) Affected: 6.4.0 , < 6.4.17 (custom) Affected: 6.5.0 , < 6.5.11 (custom) Affected: 7.0.0 , < 7.0.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40988",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:08:29.853478Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:08:45.288Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.24",
              "status": "affected",
              "version": "5.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.8.26",
              "status": "affected",
              "version": "5.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.17",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.4.17",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.5.11",
              "status": "affected",
              "version": "6.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
            }
          ],
          "value": "An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An unauthenticated remote attacker can cause denial of service by sending a crafted SAML REDIRECT binding request that inflates an unbounded compressed payload into memory."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:46:15.589Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-40988"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unbounded DEFLATE Inflation in SAML 2.0 Service Provider",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-40988",
    "datePublished": "2026-06-09T23:46:15.589Z",
    "dateReserved": "2026-04-16T02:19:09.389Z",
    "dateUpdated": "2026-06-10T18:08:45.288Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40993 (GCVE-0-2026-40993)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:46 – Updated: 2026-06-10 13:01

Title

Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry

Summary

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.

Severity

7.3 (High)


                        
                          CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-40993

Impacted products

1 product

Vendor	Product	Version
Spring	Spring Security	Affected: 7.0.0 , < 7.0.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40993",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:00:59.840309Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:01:11.325Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).\n\nAffected versions:\nSpring Security 7.0.0 through 7.0.5."
            }
          ],
          "value": "An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).\n\nAffected versions:\nSpring Security 7.0.0 through 7.0.5."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker with write access to the saml2_asserting_party_metadata table can store malicious serialized payloads to achieve remote code execution on the server."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:46:39.702Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-40993"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-40993",
    "datePublished": "2026-06-09T23:46:39.702Z",
    "dateReserved": "2026-04-16T02:19:09.389Z",
    "dateUpdated": "2026-06-10T13:01:11.325Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41003 (GCVE-0-2026-41003)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:46 – Updated: 2026-06-10 18:08

Title

Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting

Summary

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Severity

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-41003

Impacted products

1 product

Vendor	Product	Version
Spring	Spring Security	Affected: 5.7.0 , < 5.7.24 (custom) Affected: 5.8.0 , < 5.8.26 (custom) Affected: 6.3.0 , < 6.3.17 (custom) Affected: 6.4.0 , < 6.4.17 (custom) Affected: 6.5.0 , < 6.5.11 (custom) Affected: 7.0.0 , < 7.0.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41003",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:07:53.818849Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:08:02.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.24",
              "status": "affected",
              "version": "5.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.8.26",
              "status": "affected",
              "version": "5.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.17",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.4.17",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.5.11",
              "status": "affected",
              "version": "6.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
            }
          ],
          "value": "An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can influence RelyingPartyRegistration values can inject arbitrary code into HTML forms generated by Spring Security filters, resulting in a stored XSS vulnerability."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:46:53.683Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-41003"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-41003",
    "datePublished": "2026-06-09T23:46:53.683Z",
    "dateReserved": "2026-04-16T02:19:12.970Z",
    "dateUpdated": "2026-06-10T18:08:02.284Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41008 (GCVE-0-2026-41008)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-10 18:07

Title

Spring Security Authorization Server Open Redirect via request_uri

Summary

Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-601 - URL Redirection to Untrusted Site (Open Redirect)

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-41008

Impacted products

2 products

Vendor	Product	Version
Spring	Spring Security	Affected: 7.0.0 , < 7.0.6 (custom)
Spring	Spring Authorization Server	Affected: 1.5.0 , < 1.5.8 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41008",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:07:02.878770Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:07:24.866Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Spring Authorization Server",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "1.5.8",
              "status": "affected",
              "version": "1.5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Spring Security Authorization Server\u0027s authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability.\n\nAffected versions:\nSpring Security 7.0.0 through 7.0.5.\nSpring Authorization Server 1.5.0 through 1.5.7."
            }
          ],
          "value": "Spring Security Authorization Server\u0027s authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability.\n\nAffected versions:\nSpring Security 7.0.0 through 7.0.5.\nSpring Authorization Server 1.5.0 through 1.5.7."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can craft a malicious authorization request with an invalid request_uri and an unvalidated redirect_uri to cause an open redirect in Spring Security Authorization Server."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (Open Redirect)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:47:07.292Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-41008"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spring Security Authorization Server Open Redirect via request_uri",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-41008",
    "datePublished": "2026-06-09T23:47:07.292Z",
    "dateReserved": "2026-04-16T02:19:16.426Z",
    "dateUpdated": "2026-06-10T18:07:24.866Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41694 (GCVE-0-2026-41694)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-10 18:54

Title

SAML Payloads Decrypted Without Valid Signature

Summary

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Severity

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-41694

Impacted products

1 product

Vendor	Product	Version
Spring	Spring Security	Affected: 5.7.0 , < 5.7.24 (custom) Affected: 5.8.0 , < 5.8.26 (custom) Affected: 6.3.0 , < 6.3.17 (custom) Affected: 6.4.0 , < 6.4.17 (custom) Affected: 6.5.0 , < 6.5.11 (custom) Affected: 7.0.0 , < 7.0.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41694",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:54:16.996908Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:54:30.855Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.24",
              "status": "affected",
              "version": "5.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.8.26",
              "status": "affected",
              "version": "5.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.17",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.4.17",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.5.11",
              "status": "affected",
              "version": "6.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
            }
          ],
          "value": "Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can craft SAML Responses, LogoutRequests, or LogoutResponses without a valid signature and use the Service Provider as a decryption oracle."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:47:17.784Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-41694"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SAML Payloads Decrypted Without Valid Signature",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-41694",
    "datePublished": "2026-06-09T23:47:17.784Z",
    "dateReserved": "2026-04-22T06:21:22.981Z",
    "dateUpdated": "2026-06-10T18:54:30.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41706 (GCVE-0-2026-41706)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:47 – Updated: 2026-06-10 13:03

Title

Open Redirect When Using CookieRequestCache

Summary

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-601 - URL Redirection to Untrusted Site (Open Redirect)

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-41706

Impacted products

1 product

Vendor	Product	Version
Spring	Spring Security	Affected: 5.7.0 , < 5.7.24 (custom) Affected: 5.8.0 , < 5.8.26 (custom) Affected: 6.3.0 , < 6.3.17 (custom) Affected: 6.4.0 , < 6.4.17 (custom) Affected: 6.5.0 , < 6.5.11 (custom) Affected: 7.0.0 , < 7.0.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41706",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:03:12.093082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:03:21.043Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.24",
              "status": "affected",
              "version": "5.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.8.26",
              "status": "affected",
              "version": "5.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.17",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.4.17",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.5.11",
              "status": "affected",
              "version": "6.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.0.6",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Spring Security\u0027s CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
            }
          ],
          "value": "Spring Security\u0027s CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can influence the REDIRECT_URI cookie can redirect an authenticated user to an attacker-controlled URL immediately after a successful login, enabling phishing attacks."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (Open Redirect)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:47:58.903Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-41706"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Open Redirect When Using CookieRequestCache",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-41706",
    "datePublished": "2026-06-09T23:47:58.903Z",
    "dateReserved": "2026-04-22T06:21:34.489Z",
    "dateUpdated": "2026-06-10T13:03:21.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47838 (GCVE-0-2026-47838)

Vulnerability from cvelistv5 – Published: 2026-06-09 23:50 – Updated: 2026-06-11 03:55

Title

Unauthorized User Impersonation when Using X.509 Client Certificates

Summary

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.

Severity

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-287 - Improper Authentication

Assigner

vmware

References

1 reference

URL	Tags
https://spring.io/security/cve-2026-47838

Impacted products

1 product

Vendor	Product	Version
Spring	Spring Security	Affected: 5.7.0 , < 5.7.25 (custom) Affected: 5.8.0 , < 5.8.27 (custom) Affected: 6.3.0 , < 6.3.18 (custom) Affected: 6.4.0 , < 6.4.18 (custom) Affected: 6.5.0 , < 6.5.11 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47838",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T03:55:26.845Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Spring Security",
          "vendor": "Spring",
          "versions": [
            {
              "lessThan": "5.7.25",
              "status": "affected",
              "version": "5.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "5.8.27",
              "status": "affected",
              "version": "5.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.18",
              "status": "affected",
              "version": "6.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.4.18",
              "status": "affected",
              "version": "6.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "6.5.11",
              "status": "affected",
              "version": "6.5.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10."
            }
          ],
          "value": "SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can present a carefully crafted X.509 certificate with a malformed CN value can impersonate another user via SubjectDnX509PrincipalExtractor."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T23:50:07.988Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-47838"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthorized User Impersonation when Using X.509 Client Certificates",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-47838",
    "datePublished": "2026-06-09T23:50:07.988Z",
    "dateReserved": "2026-05-20T10:00:51.003Z",
    "dateUpdated": "2026-06-11T03:55:26.845Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1869

CVE-2026-40988 (GCVE-0-2026-40988)

CVE-2026-40993 (GCVE-0-2026-40993)

CVE-2026-41003 (GCVE-0-2026-41003)

CVE-2026-41008 (GCVE-0-2026-41008)

CVE-2026-41694 (GCVE-0-2026-41694)

CVE-2026-41706 (GCVE-0-2026-41706)

CVE-2026-47838 (GCVE-0-2026-47838)

Tags

Sightings

Nomenclature