CVE-2026-40997
Essential information
- Published
- 11/06/2026 09:16
- Modified
- 11/06/2026 15:21
- Author
- The MITRE Corporation
- Creator
- The MITRE Corporation
- CVSS
- 5.3 MEDIUM (v3.1)
- CISA KEV
- No
- CWE
- CWE-209
- CVSS vector
-
—
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- Network
- Attack complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality impact
- Low
- Integrity impact
- None
- Availability impact
- None
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state.
Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
NVD status
- Status
- Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| vmware / spring web services | cpe:2.3:a:vmware:spring_web_services:5.0.0-5.0.1:*:*:*:*:*:*:* |
| vmware / spring web services | cpe:2.3:a:vmware:spring_web_services:4.1.0-4.1.3:*:*:*:*:*:*:* |
| vmware / spring web services | cpe:2.3:a:vmware:spring_web_services:4.0.0-4.0.18:*:*:*:*:*:*:* |
| vmware / spring web services | cpe:2.3:a:vmware:spring_web_services:3.1.0-3.1.8:*:*:*:*:*:*:* |