Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40998

CVE-2026-40998: Spring Web Services XXE Vulnerability

CVE-2026-40998 is an XML External Entity (XXE) vulnerability in Spring Web Services that allows attackers to exploit XPath evaluation on untrusted XML. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-40998 Overview

CVE-2026-40998 is an XML External Entity (XXE) vulnerability in Spring Web Services. The Jaxp13XPathTemplate class evaluates XPath expressions against StreamSource and SAXSource inputs using the JDK's default DocumentBuilderFactory behavior. This code path bypasses Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads can be exposed to XXE-style attacks, enabling attackers to read local files, perform server-side request forgery, or trigger denial of service through entity expansion. The flaw is tracked under CWE-611: Improper Restriction of XML External Entity Reference.

Critical Impact

Network-reachable attackers can submit crafted XML to vulnerable Spring Web Services applications to disclose sensitive file contents and internal network data without authentication.

Affected Products

  • Spring Web Services 5.0.0 through 5.0.1
  • Spring Web Services 4.1.0 through 4.1.3, and 4.0.0 through 4.0.18
  • Spring Web Services 3.1.0 through 3.1.8

Discovery Timeline

  • 2026-06-11 - CVE-2026-40998 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-40998

Vulnerability Analysis

The vulnerability resides in Jaxp13XPathTemplate, a Spring Web Services utility that evaluates XPath expressions over XML sources. When the input is a StreamSource or SAXSource, the template invokes the JDK's default DocumentBuilderFactory to parse the payload. The default factory does not disable external entity resolution, DTD processing, or external schema loading. Spring ships a hardened parser configuration elsewhere in the framework, but this specific code path does not apply it. Any application that passes attacker-controlled XML into the affected XPath evaluation method becomes a parser for fully featured XML, including DOCTYPE declarations and external entities.

Root Cause

The root cause is missing parser hardening on a single code path. The DocumentBuilderFactory instance retains its insecure defaults rather than receiving Spring's standard secure settings such as disallow-doctype-decl, external-general-entities, and external-parameter-entities features. The framework's hardened parser exists, but the Jaxp13XPathTemplateStreamSource and SAXSource branches do not use it.

Attack Vector

An unauthenticated attacker submits an XML document containing a malicious DOCTYPE and external entity declaration to an endpoint that calls Jaxp13XPathTemplate on untrusted input. When the template parses the document to evaluate XPath, the underlying parser resolves the external entity. The attacker can reference local files through file:// URIs, internal services through http:// URIs, or trigger billion-laughs style expansion. Confidentiality impact is high. Integrity impact is limited to outcomes derived from XML entity injection, and availability is unaffected per the published CVSS vector. See the Spring Security Advisory for CVE-2026-40998 for vendor technical details.

Detection Methods for CVE-2026-40998

Indicators of Compromise

  • Inbound SOAP or XML requests containing <!DOCTYPE declarations with ENTITY references pointing to file://, http://, https://, or ftp:// URIs.
  • Outbound network connections from Spring Web Services hosts to unexpected internal or external endpoints immediately after XML processing.
  • Application logs showing XML parser entity resolution warnings, parse failures referencing external DTDs, or unexpected file read errors from the JVM.

Detection Strategies

  • Inspect HTTP request bodies sent to SOAP and XML endpoints for DOCTYPE and ENTITY keywords using a web application firewall or reverse proxy.
  • Audit application code for direct usage of Jaxp13XPathTemplate against StreamSource or SAXSource constructed from untrusted input.
  • Correlate XML parsing activity in Spring Web Services with subsequent process file reads outside expected directories.

Monitoring Recommendations

  • Monitor JVM file system access on directories holding configuration, credentials, or private keys, and alert on reads originating from the Spring Web Services process.
  • Track outbound DNS and HTTP requests from application servers to identify XXE-driven SSRF callbacks.
  • Enable verbose XML parser logging in non-production environments to surface external entity resolution attempts during testing.

How to Mitigate CVE-2026-40998

Immediate Actions Required

  • Upgrade Spring Web Services to a fixed release line per the Spring Security Advisory for CVE-2026-40998.
  • Inventory all services that consume XML from untrusted sources and confirm whether they invoke Jaxp13XPathTemplate on StreamSource or SAXSource inputs.
  • Block or strip DOCTYPE declarations at the network edge for XML endpoints that should never accept inline DTDs.

Patch Information

VMware/Spring has published fixed versions through the official advisory. Affected branches are 5.0.0–5.0.1, 4.1.0–4.1.3, 4.0.0–4.0.18, and 3.1.0–3.1.8. Operators should apply the corresponding patched release for their branch. Refer to the Spring Security Advisory for CVE-2026-40998 for exact fixed version numbers and migration notes.

Workarounds

  • Avoid passing untrusted XML directly into Jaxp13XPathTemplate; pre-parse with a hardened DocumentBuilder and supply a DOMSource instead.
  • Configure a custom DocumentBuilderFactory with http://apel.org/.../disallow-doctype-decl set to true and external entity features disabled, and ensure the application uses it before XPath evaluation.
  • Place XML-handling endpoints behind a gateway that rejects requests containing <!DOCTYPE or <!ENTITY tokens until patching is complete.
bash
# Example hardening for a DocumentBuilderFactory used in place of the vulnerable path
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne