CVE-2026-40997: Spring WS Information Disclosure Flaw

CVE-2026-40997 Overview

CVE-2026-40997 affects Spring Web Services integration paths that use Spring Security for SOAP client authentication. Several integration paths surface detailed account state information to remote SOAP clients through exception messages and callback outcomes. The behavior exposes whether an account exists, is locked, or is disabled, rather than returning a generic authentication error. Remote attackers can use this signal to enumerate valid usernames and infer account lifecycle state. The flaw is classified under [CWE-209] Information Exposure Through an Error Message.

Critical Impact
Remote unauthenticated SOAP clients can distinguish valid accounts from invalid ones and infer account states such as locked or disabled, enabling targeted credential attacks.

Affected Products

Spring Web Services 5.0.0 through 5.0.1
Spring Web Services 4.1.0 through 4.1.3, and 4.0.0 through 4.0.18
Spring Web Services 3.1.0 through 3.1.8

Discovery Timeline

2026-06-11 - CVE-2026-40997 published to the National Vulnerability Database
2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-40997

Vulnerability Analysis

The vulnerability resides in how Spring Web Services propagates authentication failures originating from Spring Security UserDetailsService implementations and credential callbacks. When a SOAP request triggers authentication, exceptions such as LockedException, DisabledException, AccountExpiredException, and UsernameNotFoundException carry distinct semantics. Affected integration paths convert these exceptions into SOAP faults or WS-Security callback outcomes that preserve the original message text or response code.

A remote SOAP client observing the response can therefore differentiate between an unknown user, a known but locked user, a disabled user, and an active user with a bad password. This breaks the principle that authentication failures should be indistinguishable to unauthenticated callers.

Root Cause

The root cause is the absence of a generic authentication error abstraction in the Spring WS authentication interceptors and WS-Security callback handlers. Exception messages from org.springframework.security.core.AuthenticationException subclasses are forwarded into outbound SOAP fault strings instead of being normalized to a single opaque failure. This is a classic [CWE-209] pattern in which verbose server-side diagnostics reach untrusted clients.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits a series of SOAP requests with crafted wsse:UsernameToken headers or equivalent credentials, varying the username and password fields. The attacker then compares the resulting SOAP fault strings or WSSecurityException codes to classify each username. The vulnerability does not allow code execution or data tampering, but it provides reliable account enumeration that supports follow-on password spraying or credential stuffing.

Verified exploitation code is not publicly available. See the Spring Security Advisory CVE-2026-40997 for vendor technical details.

Detection Methods for CVE-2026-40997

Indicators of Compromise

High-volume SOAP requests from a single source containing varying wsse:UsernameTokenUsername values within a short window
SOAP fault responses containing strings such as User is locked, User is disabled, User account has expired, or User not found returned to external clients
Repeated 401 or SOAP fault responses correlated with successful authentication shortly after, suggesting username harvesting followed by targeted login

Detection Strategies

Inspect application logs and SOAP gateway logs for outbound fault messages that include Spring Security exception class names or account-state phrases
Deploy WAF or API gateway rules that flag enumeration patterns against /services/* or other SOAP endpoints exposed by Spring WS
Baseline normal authentication failure rates per source IP and alert on sustained anomalies indicative of enumeration

Monitoring Recommendations

Forward Spring WS access logs and SOAP fault payloads into a centralized analytics platform for correlation across endpoints
Track per-source-IP ratios of distinct usernames attempted versus authentication failures
Alert when SOAP responses include exception types from the org.springframework.security.authentication package

How to Mitigate CVE-2026-40997

Immediate Actions Required

Upgrade Spring Web Services to a fixed maintenance release within the 5.0.x, 4.1.x, 4.0.x, or 3.1.x branch as listed in the vendor advisory
Audit custom AuthenticationProvider and WS-Security callback handler implementations for code that re-throws AuthenticationException messages into SOAP faults
Restrict external exposure of SOAP endpoints to only the consumers that require them while patching is scheduled

Patch Information

Pivotal/VMware published fixes through the Spring Security Advisory CVE-2026-40997. Upgrade to the patched version of the branch you run: 5.0.x, 4.1.x, 4.0.x, or 3.1.x. The fix normalizes authentication exceptions into a generic failure before they reach the SOAP response.

Workarounds

Implement a global SOAP fault interceptor that replaces any AuthenticationException payload with a single opaque message such as Authentication failed
Configure custom UserDetailsService logic to throw only BadCredentialsException regardless of whether the account is missing, locked, disabled, or expired
Place an API gateway in front of Spring WS endpoints that rewrites SOAP fault bodies to strip exception class names and account-state phrases

bash

# Example: enforce generic authentication failure in a custom UserDetailsService
# (descriptive configuration outline - adapt to your Spring Security version)
# In your AuthenticationProvider:
#   try {
#       // existing authentication logic
#   } catch (UsernameNotFoundException | LockedException
#            | DisabledException | AccountExpiredException ex) {
#       throw new BadCredentialsException("Authentication failed");
#   }