Detection Guidance

This vulnerability arises from the Wss4jSecurityInterceptor component in Spring Web Services initializing its BSP compliance flag in a way that disables WS-I BSP validation for inbound requests by default. Detection involves verifying the version of Spring Web Services in use and checking whether BSP compliance is explicitly enabled.

To detect if your system is vulnerable, first identify the Spring Web Services version running on your system. Versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8 are affected.

Next, check the configuration of Wss4jSecurityInterceptor to see if the BSP compliance flag is enabled. If it is not explicitly set to true via the setBspCompliant method, the system may be vulnerable.

Since this is a software configuration issue rather than a network signature-based vulnerability, there are no specific network commands to detect exploit attempts. However, you can use commands to check the version and configuration of your Spring Web Services deployment.

• Check the Spring Web Services version in your project dependencies or runtime environment, for example by inspecting your build files (pom.xml for Maven or build.gradle for Gradle) or by querying the application at runtime.
• Review your application configuration files or source code to verify if the setBspCompliant(true) method is called on Wss4jSecurityInterceptor.
• If you have access to the running Java process, you can use Java debugging or JMX tools to inspect the Wss4jSecurityInterceptor instance configuration.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40994 is a security vulnerability in the Wss4jSecurityInterceptor component of Spring Web Services. The issue arises because the BSP (WS-I Basic Security Profile) compliance flag is initialized in a way that disables BSP validation by default for inbound WS-Security requests.

This means that services validating WS-Security messages on the network could accept messages that violate BSP rules, which are designed to enforce secure and interoperable WS-Security usage. As a result, protocol-level security checks are weakened.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing potentially malicious WS-Security messages that do not comply with the WS-I Basic Security Profile to be accepted by your services.

Because the protocol-level checks are weakened, attackers might exploit this to bypass security controls related to message signatures and other security constructs, potentially leading to unauthorized access or data manipulation.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in Wss4jSecurityInterceptor, you should upgrade your Spring Web Services to the fixed versions:

• 5.0.2 (OSS) or 5.0.1.1 (Enterprise Support Only) for 5.0.x versions
• 4.1.4 (OSS) or 4.1.3.1 (Enterprise Support Only) for 4.1.x versions
• 4.0.19 (Enterprise Support Only) for 4.0.x versions
• 3.1.9 (Enterprise Support Only) for 3.1.x versions

If upgrading is not possible immediately, you can explicitly enable BSP compliance by calling the setBspCompliant method with a true argument in your configuration to enforce WS-I BSP validation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability weakens protocol-level WS-Security checks by disabling WS-I Basic Security Profile (BSP) enforcement on inbound requests by default. As a result, services may accept WS-Security messages that violate BSP rules, potentially undermining message integrity and security.

Since WS-Security is often used to ensure secure message exchange in environments subject to compliance standards such as GDPR and HIPAA, this weakening of security controls could lead to non-compliance with these regulations' requirements for data protection and message integrity.

To maintain compliance, affected users should upgrade to fixed versions or explicitly enable BSP compliance to ensure protocol-level security checks are enforced.

Useful 0 Not Useful 0