SecuriTricks - CVE-2026-40997

Description

Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Product(s) Impacted

Vendor	Product	Versions
Vmware	Spring Web Services	5.0.0-5.0.1, 4.1.0-4.1.3, 4.0.0-4.0.18, 3.1.0-3.1.8

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-209

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	vmware	spring_web_services	5.0.0-5.0.1	/	/	/	/	/	/	/
a	vmware	spring_web_services	4.1.0-4.1.3	/	/	/	/	/	/	/
a	vmware	spring_web_services	4.0.0-4.0.18	/	/	/	/	/	/	/
a	vmware	spring_web_services	3.1.0-3.1.8	/	/	/	/	/	/	/

References

https://spring.io/security/cve-2026-40997

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

View Vector String

Timeline

Published: June 11, 2026, 7:16 a.m.
Last Modified: June 11, 2026, 7:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-40997