CVE-2026-40999
Awaiting Analysis Awaiting Analysis - Queue
SSRF Vulnerability in Spring Web Services

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-40999
EUVD
EUVD-2026-36209
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
spring web_services From 3.1.0 (inc) to 3.1.8 (inc)
spring web_services From 4.0.0 (inc) to 4.1.3 (inc)
spring web_services From 5.0.0 (inc) to 5.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-40999 is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to force Spring Web Services to make outbound connections to potentially unsafe destinations specified in request headers. This can lead to unauthorized access or exposure of internal systems or sensitive data.

Such unauthorized outbound connections and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data access and transmission to protect personal and sensitive information.

Specifically, if an attacker exploits this vulnerability to access internal resources or sensitive data, it could result in breaches of confidentiality and data integrity, thereby violating regulatory requirements.

Mitigation involves upgrading to fixed versions or implementing destination allowlisting to prevent unsafe connections, which is critical to maintaining compliance with these standards.

Executive Summary

CVE-2026-40999 is a Server-Side Request Forgery (SSRF) vulnerability in Spring Web Services (Spring WS) versions 3.1.0 through 5.0.1.

The issue occurs when WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, allowing Spring WS to initiate outbound connections to destinations specified directly in request headers without verifying if those destinations are safe.

An attacker can exploit this by sending specially crafted headers that force the server to connect to internal hosts, cloud metadata endpoints, or other sensitive systems.

This vulnerability arises when an AbstractAddressingEndpointMapping subclass is registered with WebServiceMessageSender instances configured for outbound replies, the service accepts WS-Addressing headers from untrusted sources, and no destination validation or network egress controls are in place.

Impact Analysis

This vulnerability can allow an attacker to make the vulnerable server connect to internal or sensitive systems that are normally inaccessible from outside.

Such forced outbound connections can expose internal network resources, cloud metadata services, or other protected endpoints to unauthorized access or information disclosure.

Because the server trusts the destination addresses from request headers without validation, attackers can leverage this to bypass network restrictions and potentially gather sensitive data or perform further attacks.

Detection Guidance

This vulnerability can be detected by monitoring for outbound connections initiated by Spring Web Services to unexpected or suspicious destinations specified in WS-Addressing ReplyTo or FaultTo headers. Look for unusual outbound network traffic from your Spring WS server to internal hosts, cloud metadata endpoints, or other sensitive systems.

You can inspect network traffic or logs for WS-Addressing headers containing non-anonymous ReplyTo or FaultTo addresses. Additionally, check if your Spring WS deployment uses AbstractAddressingEndpointMapping subclasses with WebServiceMessageSender instances configured for outbound replies.

Suggested commands to detect suspicious activity include:

  • Use network monitoring tools like tcpdump or Wireshark to capture outbound traffic from the Spring WS server, filtering for unusual destination IPs or ports.
  • Example tcpdump command: sudo tcpdump -i <interface> host <spring_ws_server_ip> and outbound and not port 80 and not port 443
  • Search application logs for WS-Addressing headers with non-anonymous ReplyTo or FaultTo addresses, if logging is enabled.
  • Use grep or similar tools to find suspicious headers in logs: grep -i 'ReplyTo' /path/to/logs/*
Mitigation Strategies

Immediate mitigation steps include upgrading Spring Web Services to fixed versions: 5.0.2, 4.1.4, 4.0.19, or 3.1.9, depending on your current version.

If upgrading is not immediately possible, apply a temporary workaround by restricting allowed outbound destinations. This can be done by overriding the supports method in custom WebServiceMessageSender classes to enforce an allowlist of safe endpoints.

Additionally, implement network-level egress controls to block unauthorized outbound connections from the Spring WS server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart