CVE-2026-41000
Received Received - Intake
Inconsistent WSS4J ReplayCache Integration in Spring Web Services

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-41000
EUVD
EUVD-2026-36210
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spring_project spring_web_services From 3.1.0 (inc) to 5.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41000 is a security vulnerability in Spring Web Services versions 3.1.0 to 5.0.1, specifically in the Wss4jSecurityInterceptor component.

The issue is that this component does not consistently use the configured replay cache mechanisms from Apache WSS4J during validation checks.

Because of this, protections against replay attacks involving UsernameToken nonces, creation timestamps, Timestamp elements, and certain SAML one-time-use semantics can be bypassed, even if a replay cache is enabled.

This means attackers could potentially resend valid cryptographic tokens or messages within their acceptance window without being detected.

Impact Analysis

This vulnerability can allow attackers to replay valid SOAP messages that include UsernameToken nonces, timestamps, or SAML one-time-use tokens.

As a result, an attacker might be able to bypass replay protections and reuse authentication tokens or messages, potentially leading to unauthorized actions or access.

This could undermine the integrity of your web services by allowing repeated submission of previously valid requests.

Detection Guidance

This vulnerability affects services that validate UsernameToken nonces, creation timestamps, Timestamp elements, and certain SAML one-time-use semantics in SOAP messages. Detection involves monitoring for replayed SOAP messages that reuse these cryptographic elements within the acceptance window.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Spring Web Services to one of the fixed versions: 5.0.2, 4.1.4, 4.0.19, or 3.1.9.

If upgrading is not immediately possible, you can manually implement a replay cache by extending the Wss4jSecurityInterceptor and overriding the initializeValidationRequestData method to explicitly set replay caches for nonce, timestamp, and SAML one-time-use checks.

Compliance Impact

This vulnerability allows attackers to bypass replay protections for security tokens and timestamps, potentially enabling the resubmission of valid cryptographic material within the acceptance window.

Such a flaw could undermine the integrity and non-repudiation guarantees of secure communications, which are important for compliance with standards and regulations like GDPR and HIPAA that require protection of data integrity and prevention of unauthorized access or replay attacks.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41000. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart