ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-40994 Spring Web Services BSP Enforcement Bypass via Insecure Default Initialization

A short review of CVE-2026-40994, a high severity insecure default in Spring Web Services where Wss4jSecurityInterceptor silently disables WS-I Basic Security Profile enforcement, allowing BSP-violating SOAP messages to pass validation on affected deployments.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Brief Summary: CVE-2026-40994 Spring Web Services BSP Enforcement Bypass via Insecure Default Initialization
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A silently disabled security control in one of the most widely deployed Java frameworks just exposed enterprise SOAP services to message integrity bypass. Spring Web Services' Wss4jSecurityInterceptor initialized its WS-I Basic Security Profile (BSP) compliance flag in a way that turned off BSP enforcement for inbound messages, contradicting the secure default built into the underlying Apache WSS4J library and leaving services open to accepting non-compliant WS-Security messages over the network.

With Spring powering applications at more than half of the Fortune 500, and SOAP based web services remaining a backbone of financial services, healthcare, and government integrations, the blast radius of this insecure default (scored CVSS 8.2) is significant. The vulnerability was disclosed on June 10, 2026 as part of what Broadcom described as the largest Spring security update in the framework's 23 year history.

Technical Information

Root Cause: Insecure Default Initialization (CWE-1188)

The vulnerability resides in the Wss4jSecurityInterceptor class within Spring Web Services. This component is responsible for enforcing WS-Security standards on SOAP messages by delegating cryptographic processing to Apache WSS4J. As part of its initialization, the interceptor configures a RequestData object that governs WSS4J's validation behavior for inbound messages.

The core flaw is straightforward: Wss4jSecurityInterceptor initialized its BSP compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. This directly contradicts the secure default established by Apache WSS4J itself. In WSS4J 1.6.x and later, the wsiBSPCompliant flag in WSSConfig defaults to true, meaning BSP checks are active unless explicitly turned off. The Spring WS interceptor's initialization logic overrode this secure default, effectively stripping BSP validation from any application using the interceptor without having explicitly called setBspCompliant(true).

This is classified under CWE-1188 ("Initialization of a Resource with an Insecure Default"), which describes weaknesses where "the product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure." The CWE documentation notes that "developers often choose default values that leave the product as open and easy to use as possible out of the box," which is precisely what occurred here.

What BSP Enforcement Actually Does

The WS-I Basic Security Profile (BSP) 1.1 specification provides an industry standard way of ensuring interoperability between different WS-Security stacks by clarifying and narrowing the scope of the various WS-Security standards. When BSP enforcement is active, WSS4J validates that inbound messages conform to strict rules regarding:

  • Security element ordering
  • Algorithm strength requirements
  • Signature and timestamp profiles
  • Token profile conformance

When BSP enforcement is disabled, these conformance checks are skipped entirely. Messages that violate BSP rules pass validation as if the rules did not exist.

Attack Flow

The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N tells us the exploitation profile:

CVSS ComponentValueImplication
Attack VectorNetworkExploitable remotely
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo user action required
ScopeUnchangedImpact confined to the vulnerable component
ConfidentialityLowMinor information disclosure possible
IntegrityHighComplete integrity compromise of message validation
AvailabilityNoneNo direct availability impact

An attacker exploits this vulnerability through the following sequence:

  1. Identify a target service that uses Wss4jSecurityInterceptor for inbound WS-Security validation. These are SOAP endpoints, commonly found in enterprise and government environments.
  2. Craft SOAP messages that violate BSP rules. Because BSP enforcement is silently disabled by default, the service will accept these non-compliant messages.
  3. The preconditions are: (a) the application uses Wss4jSecurityInterceptor or equivalent wiring for inbound WS-Security validation, and (b) BSP compliance has not been explicitly enabled via the setBspCompliant setter.

The insecure default is applied automatically, meaning most deployments using the interceptor would be vulnerable without any misconfiguration by the operator. The application appears to function normally; there is no error, no warning, and no indication that an entire class of validation has been silently disabled.

Distinction from Other CVEs in the Same Release

This vulnerability differs from the other six CVEs patched in the same release in an important way. While CVE-2026-40995 (disabled account bypass), CVE-2026-40996 (weak RSA algorithm), CVE-2026-40998 (XXE), and CVE-2026-40999 (SSRF) represent distinct implementation flaws, CVE-2026-40994 is a configuration default flaw. It does not require a logic error in the processing of a specific message construct; rather, it silently disables an entire class of validation. This makes it simultaneously harder to detect (the application appears to function normally) and broader in impact (all BSP defined checks are skipped).

The full set of CVEs addressed in the June 10, 2026 release:

CVEDescription
CVE-2026-40994BSP enforcement disabled by default (this CVE)
CVE-2026-40995X509AuthenticationProvider ignores disabled/locked/expired account state
CVE-2026-40996Weak RSA PKCS #1 v1.5 key transport algorithm not disabled
CVE-2026-40997Error messages leak specific authentication failure reason (user enumeration)
CVE-2026-40998Jaxp13XPathTemplate vulnerable to XXE attacks
CVE-2026-40999SSRF via WS-Addressing out of band replies
CVE-2026-41000Replay cache for UsernameToken nonce and timestamps misconfigured

Affected Systems and Versions

Four major version branches of Spring Web Services are affected:

Version BranchAffected RangeFixed Version (OSS)Fixed Version (Enterprise)
5.0.x5.0.0 through 5.0.15.0.25.0.1.1
4.1.x4.1.0 through 4.1.34.1.44.1.3.1
4.0.x4.0.0 through 4.0.18Not available (OSS EOL)Via Enterprise Support
3.1.x3.1.0 through 3.1.8Not available (OSS EOL)Via Enterprise Support

Any application using Wss4jSecurityInterceptor for inbound WS-Security validation is vulnerable unless BSP compliance has been explicitly enabled via the setBspCompliant(true) setter. The 4.0.x and 3.1.x branches are no longer under active open source support and do not have public patches; fixes for these branches are available exclusively through VMware's Enterprise Support offering.

It is worth noting that Spring Framework 6.2 and Spring Boot 3.5 reach end of life on June 30, 2026, just weeks after this disclosure. Organizations on those versions face compounding pressure to upgrade both their Spring versions and their support contracts to maintain security coverage.

Vendor Security History

The Spring ecosystem has experienced a notable cadence of security advisories throughout 2026:

  • CVE-2026-41842 and CVE-2026-41849: Spring Framework Denial of Service vulnerabilities
  • CVE-2026-22732: Spring Security HTTP caching issues under certain conditions
  • CVE-2026-40976: Spring Boot default web security bypass

The pattern of insecure default configurations has been a recurring theme in Spring security advisories. CVE-2026-40994 fits squarely into this pattern as another instance where a framework component shipped with a default that weakened security rather than enforcing it.

Broadcom's June 2026 coordinated release addressed seven security vulnerabilities simultaneously across Spring Web Services, described as the largest Spring security update in the framework's 23 year history. The scale was reportedly driven by a 1,700% monthly increase in AI discovered advisories affecting the Java and Spring ecosystem.

VulnCheck's analysis of routinely targeted vulnerabilities in 2026 documented cases where Spring adjacent vulnerabilities that were not exploited at time of disclosure were later used in the wild, underscoring the importance of prompt patching even in the absence of confirmed exploitation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization