CVE-2026-40993
Received Received - Intake
Java Deserialization Flaw in Spring Security

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-40993
EUVD
EUVD-2026-35886
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spring_project spring_security From 7.0.0 (inc) to 7.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40993 is a medium-severity vulnerability in Spring Security versions 7.0.0 to 7.0.5. It occurs because the JdbcAssertingPartyMetadataRepository component performs unfiltered Java native deserialization of SAML 2.0 asserting party credentials stored in a database.

An attacker who has write permissions to the database table named saml2_asserting_party_metadata can inject malicious serialized payloads into the verification_credentials or encryption_credentials columns. When the server reads and deserializes these payloads, it may execute arbitrary code.

Impact Analysis

This vulnerability can lead to remote code execution on the affected system if an attacker has write access to the relevant database table.

Such an attack could compromise the integrity and availability of the system by allowing the attacker to run arbitrary code with the privileges of the application.

Detection Guidance

This vulnerability can be detected by checking the TRACE logs of the affected Spring Security application for error messages related to deserialization failures.

Specifically, look for log entries starting with "Failed to deserialize due to ..." which indicate issues during the deserialization process of credentials stored in the saml2_asserting_party_metadata table.

No direct network commands are provided, but inspecting application logs at TRACE level is recommended.

Mitigation Strategies

The immediate mitigation step is to upgrade Spring Security to version 7.0.6 or later, where this vulnerability is fixed.

If upgrading is not immediately possible and deserialization failures occur, check TRACE logs for deserialization errors and consider adjusting the deserialization process using the method AssertingPartyMetadataRowMapper#setCredentialsDeserializer.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40993. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart