CVE-2026-40991
Received Received - Intake
XXE Injection in Spring REST Docs

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-40991
EUVD
EUVD-2026-35885
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring_project spring_rest_docs to 4.0.0 (inc)
spring_project spring_rest_docs to 3.0.5 (inc)
spring_project spring_rest_docs to 2.0.9.release (exc)
spring_project spring_rest_docs to 3.0.6 (exc)
spring_project spring_rest_docs to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-40991 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40991 is a Medium-severity XML External Entity (XXE) injection vulnerability that affects Spring REST Docs versions 2.0.0.RELEASE through 4.0.0.

The vulnerability occurs when using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP.

If an attacker compromises the API or tricks a user into documenting a malicious API, they can exploit this flaw to perform an XXE injection attack during the next execution of the documentation-generating tests.

Impact Analysis

This vulnerability allows an attacker to perform an XML External Entity (XXE) injection attack when the documentation-generating tests are executed.

Such an attack can lead to the disclosure of sensitive data, denial of service, or other impacts depending on the XML parser's behavior and the environment.

Because the attack requires either compromising the API or tricking the user into documenting a malicious API, the risk is tied to the trustworthiness of the API being documented.

Mitigation Strategies

To mitigate the risk of the XXE injection vulnerability in Spring REST Docs, you should upgrade to the fixed versions: 2.0.9.RELEASE, 3.0.6, or 4.0.1.

Enterprise support users can also apply patches 2.0.9.RELEASE, 3.0.5.1, or 4.0.0.1.

No additional mitigation steps are required after upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart