AIKIDO-2026-206605

spring-ws-core is vulnerable to Server-side Request Forgery (SSRF)

Server-side Request Forgery (SSRF)CVE-2026-40999 Published Today

High Risk

This Affects:

spring-ws-core

0.0.1 - 3.1.8

Fixed in 3.1.9

4.0.0 - 4.0.18

Fixed in 4.0.19

4.1.0 - 4.1.3

Fixed in 4.1.3.1

5.0.0 - 5.0.1

Fixed in 5.0.1.1

Are you affected? Scan for Free

TL;DR

Spring WS contains a server-side request forgery (SSRF) vulnerability when processing WS-Addressing ReplyTo and FaultTo headers. Applications that accept WS-Addressing headers from untrusted sources and use out-of-band replies may initiate outbound connections to attacker-controlled destinations without validating their safety. An attacker can exploit this behavior to force the application to connect to internal systems, cloud metadata services, or other restricted network resources.

Who does this affect?

You are affected if using a vulnerable version.

Background info

spring-ws-core is vulnerable to Server-side Request Forgery (SSRF) in versions 0.0.1 - 3.1.8, 4.0.0 - 4.0.18, 4.1.0 - 4.1.3 and 5.0.0 - 5.0.1.

How to fix this

Upgrade the org.springframework.ws:spring-ws-core library to the patch version. If you cannot upgrade, you can restrict the destinations that each configured sender accepts by overriding its supports method.

High Risk