Aikido Intel
Secure My Code
Intel

AIKIDO-2026-11177

spring-security-saml2-service-provider is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource ConsumptionCVE-2026-40988 Published Today

55

Medium Risk

This Affects:

JAVAspring-security-saml2-service-provider
0.0.1 - 5.7.23
Fixed in 5.7.24
5.8.0 - 5.8.25
Fixed in 5.8.26
6.0.0 - 6.3.16
Fixed in 6.3.17
6.4.0 - 6.4.16
Fixed in 6.4.17
6.5.0 - 6.5.10
Fixed in 6.5.11
7.0.0 - 7.0.5
Fixed in 7.0.6
Are you affected? Scan for Free

TL;DR

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spring-security-saml2-service-provider is vulnerable to Uncontrolled Resource Consumption in versions 0.0.1 - 5.7.23, 5.8.0 - 5.8.25, 6.0.0 - 6.3.16, 6.4.0 - 6.4.16, 6.5.0 - 6.5.10 and 7.0.0 - 7.0.5.

How to fix this

Upgrade the org.springframework.security:spring-security-saml2-service-provider library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done