CVE-2026-40995
Awaiting Analysis Awaiting Analysis - Queue

X509 Authentication Bypass in Spring Web Services

Vulnerability report for CVE-2026-40995, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-23

Assigner: VMware

Description

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-23
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vmware spring_web_services From 3.1.0 (inc) to 5.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can allow unauthorized access by enabling users with disabled, locked, expired, or credential-expired accounts to authenticate successfully using X.509 certificate-based authentication.

As a result, attackers or unauthorized users might gain access to systems or services that should be restricted, potentially leading to information disclosure or unauthorized actions within the affected application.

Executive Summary

CVE-2026-40995 is a medium-severity vulnerability in Spring Web Services versions 3.1.0 through 5.0.1. It occurs because the X509AuthenticationProvider can issue a fully authenticated X509AuthenticationToken without performing the usual Spring Security account lifecycle checks, such as verifying if an account is disabled, locked, expired, or has expired credentials.

This means that when a certificate is presented and mapped to UserDetails, the system might authenticate users even if their accounts should be restricted or inactive, bypassing important security controls.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade Spring Web Services to a fixed version.

  • Upgrade to version 5.0.2 if you are on the 5.0.x release track.
  • Upgrade to version 4.1.4 if you are on the 4.1.x release track.
  • Upgrade to version 4.0.19 if you are on the 4.0.x release track.
  • Upgrade to version 3.1.9 if you are on the 3.1.x release track.

No additional mitigation steps are necessary beyond upgrading. For older unsupported versions, enterprise support is required to obtain patches.

Compliance Impact

The vulnerability allows authentication of disabled, locked, expired, or credential-expired accounts without applying standard account lifecycle checks. This improper authentication could lead to unauthorized access to sensitive data or systems.

Such unauthorized access risks violating compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

Therefore, if exploited, this vulnerability could undermine compliance by enabling access to accounts that should be restricted, potentially leading to data breaches or unauthorized data processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart