CVE-2026-41694
Analyzed Analyzed - Analysis Complete

SAML Decryption Oracle in Spring Security

Publication date: 2026-06-10

Last updated on: 2026-06-27

Assigner: VMware

Description
Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-27
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-41694
EUVD
EUVD-2026-35889

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
vmware spring_security From 5.7.0 (inc) to 5.7.24 (exc)
vmware spring_security From 5.8.0 (inc) to 5.8.26 (exc)
vmware spring_security From 6.3.0 (inc) to 6.3.17 (exc)
vmware spring_security From 6.4.0 (inc) to 6.4.17 (exc)
vmware spring_security From 6.5.0 (inc) to 6.5.11 (exc)
vmware spring_security From 7.0.0 (inc) to 7.0.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41694 is a security vulnerability in Spring Security where SAML payloads, including SAML Responses, LogoutRequests, and LogoutResponses, are decrypted without requiring a valid signature.

This flaw allows attackers to craft malicious SAML payloads and exploit the Service Provider as a decryption oracle.

Impact Analysis

An attacker can exploit this vulnerability by sending specially crafted SAML payloads to the affected Spring Security service.

Because the service decrypts these payloads without verifying a valid signature, the attacker may use the service as a decryption oracle, potentially exposing sensitive information.

This could lead to unauthorized access to encrypted data or other security breaches depending on the context in which Spring Security is used.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Spring Security version to one of the fixed releases corresponding to your current version.

  • Upgrade to 5.7.24 if you are using any version from 5.7.0 to 5.7.23.
  • Upgrade to 5.8.26 if you are using any version from 5.8.0 to 5.8.25.
  • Upgrade to 6.3.17 if you are using any version from 6.3.0 to 6.3.16.
  • Upgrade to 6.4.17 if you are using any version from 6.4.0 to 6.4.16.
  • Upgrade to 6.5.11 if you are using any version from 6.5.0 to 6.5.10.
  • Upgrade to 7.0.6 if you are using any version from 7.0.0 to 7.0.5.

Note that enterprise support is required for versions 5.7.x, 5.8.x, 6.3.x, and 6.4.x, while versions 6.5.x and 7.0.x have open-source software fixes available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart