AIKIDO-2026-819079

spring-ws-security is vulnerable to Initialization of a Resource with an Insecure Default

Initialization of a Resource with an Insecure DefaultCVE-2026-40994 Published Today

High Risk

This Affects:

spring-ws-security

0.0.1 - 3.1.8

Fixed in 3.1.9

4.0.0 - 4.0.18

Fixed in 4.0.19

4.1.0 - 4.1.3

Fixed in 4.1.3.1

5.0.0 - 5.0.1

Fixed in 5.0.1.1

Are you affected? Scan for Free

TL;DR

Spring Web Services Security contains an insecure default configuration in Wss4jSecurityInterceptor that disables WS-I Basic Security Profile (BSP) enforcement during inbound WS-Security validation. Applications relying on the default configuration may accept WS-Security messages that violate BSP requirements for signatures and related security constructs, weakening protocol-level security checks and increasing the risk of malformed or non-compliant messages being accepted.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spring-ws-security is vulnerable to Initialization of a Resource with an Insecure Default in versions 0.0.1 - 3.1.8, 4.0.0 - 4.0.18, 4.1.0 - 4.1.3 and 5.0.0 - 5.0.1.

How to fix this

Upgrade the org.springframework.ws:spring-ws-security library to a patch version. If you are not able to upgrade, you can enable BSP compliance explicitly by calling the setBspCompliant setter method with true as argument.