CVE-2026-40995
Received Received - Intake
X509 Authentication Bypass in Spring Web Services

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-40995
EUVD
EUVD-2026-36205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware spring_web_services From 3.1.0 (inc) to 5.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow unauthorized access by enabling users with disabled, locked, expired, or credential-expired accounts to authenticate successfully using X.509 certificate-based authentication.

As a result, attackers or unauthorized users might gain access to systems or services that should be restricted, potentially leading to information disclosure or unauthorized actions within the affected application.

Executive Summary

CVE-2026-40995 is a medium-severity vulnerability in Spring Web Services versions 3.1.0 through 5.0.1. It occurs because the X509AuthenticationProvider can issue a fully authenticated X509AuthenticationToken without performing the usual Spring Security account lifecycle checks, such as verifying if an account is disabled, locked, expired, or has expired credentials.

This means that when a certificate is presented and mapped to UserDetails, the system might authenticate users even if their accounts should be restricted or inactive, bypassing important security controls.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade Spring Web Services to a fixed version.

  • Upgrade to version 5.0.2 if you are on the 5.0.x release track.
  • Upgrade to version 4.1.4 if you are on the 4.1.x release track.
  • Upgrade to version 4.0.19 if you are on the 4.0.x release track.
  • Upgrade to version 3.1.9 if you are on the 3.1.x release track.

No additional mitigation steps are necessary beyond upgrading. For older unsupported versions, enterprise support is required to obtain patches.

Compliance Impact

The vulnerability allows authentication of disabled, locked, expired, or credential-expired accounts without applying standard account lifecycle checks. This improper authentication could lead to unauthorized access to sensitive data or systems.

Such unauthorized access risks violating compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

Therefore, if exploited, this vulnerability could undermine compliance by enabling access to accounts that should be restricted, potentially leading to data breaches or unauthorized data processing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40995. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart