Introduction
A newly disclosed SSRF vulnerability in Spring Web Services allows unauthenticated attackers to weaponize WS-Addressing headers, turning a SOAP endpoint into an open proxy capable of reaching internal networks, cloud metadata services, and other infrastructure that should never be externally accessible. Scored at CVSS 8.6 with a "Changed" scope designation, CVE-2026-40999 affects four major version branches of Spring WS and was patched on June 10, 2026, as part of what Broadcom calls the largest Spring security update in the framework's 23 year history.
Technical Information
Root Cause: Unvalidated WS-Addressing Destinations
The vulnerability resides in AbstractAddressingEndpointMapping, the class responsible for processing WS-Addressing headers in Spring Web Services. WS-Addressing is a W3C specification that provides a transport neutral mechanism for addressing web services and their messages. It allows SOAP clients to specify where responses (wsa:ReplyTo) and fault messages (wsa:FaultTo) should be delivered, rather than relying on the underlying transport protocol's reply channel.
The core problem is straightforward: AbstractAddressingEndpointMapping accepted destination URIs directly from incoming SOAP request headers and forwarded outbound connections to them via the configured WebServiceMessageSender instances, with no validation whatsoever. There was no allow list, no deny list, no scheme restriction, and no policy check of any kind. Whatever URI an attacker placed in the wsa:ReplyTo or wsa:FaultTo header, the server would dutifully connect to it.
This is a textbook instance of CWE-918 (Server-Side Request Forgery), which MITRE defines as a weakness where "a web server accepts a URL from a user or upstream component and retrieves its contents without validating whether the request is going to the intended destination." SSRF is included in the OWASP Top 10 as a critical web application security risk.
CVSS v3.1 Vector Analysis
The full CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, yielding a score of 8.6 (High).
| Component | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No special conditions required beyond the prerequisites |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No user action required |
| Scope (S) | Changed | Impact extends beyond the vulnerable component |
| Confidentiality (C) | High | Complete information disclosure possible |
| Integrity (I) | None | No direct integrity impact |
| Availability (A) | None | No direct availability impact |
The Scope: Changed designation is the key differentiator here. It indicates that the vulnerable component (Spring WS) can impact resources beyond its own security authority. The Spring WS server, sitting in a trusted network position, can reach internal services, databases, and cloud metadata endpoints that the external attacker has no direct access to. The Confidentiality: High rating reflects that an attacker can read data from these internal services, including IAM credentials from cloud metadata endpoints like http://169.254.169.254/latest/meta-data/.
Exploitation Prerequisites
The Spring advisory specifies that successful exploitation requires three conditions to converge:
-
An
AbstractAddressingEndpointMappingsubclass must be registered for out of band replies via WS-Addressing. This is not enabled by default in all Spring WS deployments. -
WS-Addressing headers must be accepted from untrusted callers. If all SOAP clients are internal and trusted, the risk is reduced (though not eliminated, as compromised internal clients could still exploit the flaw).
-
No destination validator or egress control must be active. Deployments without network level egress filtering or application level destination validation are fully exposed.
These conditions are not exotic. Any internet facing SOAP service that implements WS-Addressing for asynchronous response patterns and lacks egress controls meets all three criteria.
Attack Flow
An attacker exploiting CVE-2026-40999 would follow this sequence:
-
Identify a target Spring WS endpoint that accepts SOAP requests with WS-Addressing headers. This can be determined through WSDL inspection or by sending test requests with
wsa:ReplyToheaders and observing server behavior. -
Craft a SOAP request containing a
wsa:ReplyToorwsa:FaultToheader with a malicious destination URI. For cloud credential theft, this would be something likehttp://169.254.169.254/latest/meta-data/iam/security-credentials/. For internal network scanning, the attacker would iterate through internal IP ranges and ports. -
Send the crafted request to the vulnerable endpoint. No authentication is required.
-
The Spring WS server processes the request, generates a response (or fault), and initiates an outbound connection to the attacker specified URI via its configured
WebServiceMessageSender. -
The attacker observes the results. If the
wsa:ReplyTopoints to an attacker controlled server, the attacker receives the SOAP response payload directly. If the destination is an internal service, the attacker can infer information from response timing, error messages, or by chaining the SSRF with other techniques.
This attack enables several outcomes: internal network reconnaissance through response timing and error analysis, cloud metadata retrieval including IAM credentials and API keys, exfiltration of sensitive SOAP response payloads to attacker controlled infrastructure, and interaction with internal management interfaces not exposed to the internet.
Patch Information
On June 10, 2026, the Spring team released Spring Web Services 5.0.2 and 4.1.4 to address CVE-2026-40999. Both releases are publicly available on Maven Central and were announced on the official Spring blog.
What the Fix Changes
The fix introduces a new DestinationPolicy mechanism for WS-Addressing out of band destinations. This is tracked under GitHub issue #1836 (for the 4.1.x branch, milestone 4.1.4) and #1843 (forward ported to the 5.0.x branch, milestone 5.0.2). Both issues were created and closed by Spring team member snicoll, with #1843 explicitly noted as a "forward port of issue #1836 to 5.0.x." Both were closed on June 10, 2026.
The DestinationPolicy acts as a gate: before Spring WS sends any out of band reply or fault to a URI extracted from WS-Addressing headers, it now consults this policy to determine whether the destination is safe to connect to. The server will no longer blindly relay responses to arbitrary endpoints.
Version Matrix
| Affected Versions | Fix Version | Availability |
|---|---|---|
| 5.0.0 to 5.0.1 | 5.0.2 | OSS (public) |
| 5.0.1.1 | Enterprise Support Only | |
| 4.1.0 to 4.1.3 | 4.1.4 | OSS (public) |
| 4.1.3.1 | Enterprise Support Only | |
| 4.0.0 to 4.0.18 | 4.0.19 | Enterprise Support Only |
| 3.1.0 to 3.1.8 | 3.1.9 | Enterprise Support Only |
Versions 4.0.x and 3.1.x are considered end of life in open source support. Their fixes are only available through Spring's commercial enterprise support program via Broadcom's Tanzu division. Organizations on these older branches must either upgrade to a supported OSS branch (4.1.x or 5.0.x) or maintain an enterprise support contract.
Workaround for Deferred Upgrades
For users who cannot immediately upgrade, the Spring advisory describes a workaround: override the supports method on each configured WebServiceMessageSender to effectively allowlist safe destination URIs. The advisory provides a concrete Java example showing how to subclass JmsMessageSender and gate its supports() on a custom isAllowedDestination() check, and recommends applying the same pattern to HttpUrlConnectionMessageSender, MailMessageSender, and any other sender types in use. This aligns with the OWASP SSRF Prevention Cheat Sheet's recommendation that explicitly enumerating permitted destinations is more reliable than trying to block known bad ones.
Defense in Depth
Beyond patching, organizations should consider these layered defenses:
- Network level egress filtering: Restrict outbound connections from the Spring WS application server to only known, required destinations. This prevents the SSRF from reaching internal hosts or cloud metadata endpoints even if application level validation is bypassed.
- Block cloud metadata endpoints: Implement network level blocks on cloud provider metadata IP addresses (169.254.169.254) from application servers that have no legitimate need to access them.
- Authentication on internal services: Ensure that internal services reachable from the Spring WS server require authentication, limiting what an SSRF can accomplish even if a connection is made.
- WS-Addressing policy enforcement: Where WS-Addressing is required, restrict acceptance of non anonymous
ReplyTo/FaultToheaders to authenticated and authorized callers only.
Affected Systems and Versions
CVE-2026-40999 affects the following Spring Web Services version ranges:
- Spring Web Services 5.0.0 through 5.0.1 (5.0.x branch)
- Spring Web Services 4.1.0 through 4.1.3 (4.1.x branch)
- Spring Web Services 4.0.0 through 4.0.18 (4.0.x branch, end of life)
- Spring Web Services 3.1.0 through 3.1.8 (3.1.x branch, end of life)
Older unsupported branches prior to 3.1.x are also likely affected but have not received patches or formal assessment.
The vulnerability is specifically triggered when the following configuration conditions are met:
- An
AbstractAddressingEndpointMappingsubclass is registered for out of band replies via WS-Addressing. - WS-Addressing headers are accepted from untrusted callers.
- No destination validator or egress control is active.
Organizations should audit all Spring WS deployments across every version branch. The vulnerability is not limited to the latest branch, and older deployments on 4.0.x or 3.1.x may be particularly at risk given the lack of freely available patches.
Vendor Security History
The Spring ecosystem has experienced a notable volume of security activity in 2026. CVE-2026-40999 was patched alongside six other CVEs (CVE-2026-40994 through CVE-2026-41000) in the Spring WS 5.0.2 and 4.1.4 releases. These span a range of vulnerability types:
- CVE-2026-40994: Disabled BSP enforcement
- CVE-2026-40995: X509AuthenticationProvider bypass
- CVE-2026-40998: XXE via unhardened XPath
- CVE-2026-41000: UsernameToken replay issues
Beyond Spring WS, the broader Spring portfolio has seen CVE-2026-22732 (Spring Security caching issues), CVE-2026-41842 (Spring Framework DoS via static resource resolution), CVE-2026-22739 (Spring Cloud Config SSRF), and CVE-2026-45609 (Spring AI MCP Security SSRF).
The recurrence of SSRF vulnerabilities across different Spring projects is a pattern worth noting. The Spring Cloud Config, Spring AI MCP, and now Spring WS SSRF cases share a common structural theme: a protocol level feature that allows requesters to specify a destination, combined with a framework that processes that destination without safety checks. Organizations using Spring should proactively audit other components that handle externally influenced connection targets.
Broadcom's Tanzu division has responded with what it describes as the largest Spring security update in the framework's 23 year history, including day zero CVE patches and SLSA Level 3 supply chain security for the Java ecosystem.
References
- CVE-2026-40999 Spring Security Advisory
- CVE-2026-40999 CVE Record
- CVE-2026-40999 NVD Detail
- Spring Web Services 5.0.2 and 4.1.4 Release Announcement
- Spring WS v5.0.2 Release (GitHub)
- Spring WS v4.1.4 Release (GitHub)
- GitHub Issue #1843: DestinationPolicy for 5.0.x
- GitHub Issue #1836: DestinationPolicy for 4.1.x
- CWE-918: Server-Side Request Forgery (SSRF)
- OWASP SSRF Prevention Cheat Sheet
- Invicti: SOAP WS-Addressing SSRF
- Spring Web Services Project
- Spring Enterprise Repository (Broadcom TechDocs)
- Spring Security Advisories
- Canadian Centre for Cyber Security: Spring Advisory AV26-288
- Broadcom Bolsters Spring Security with Largest Update Ever
- CISA Known Exploited Vulnerabilities Catalog
- OWASP Top 10: Server-Side Request Forgery
- PortSwigger: Server-Side Request Forgery (SSRF)



