CVE-2026-40999: CWE-918: Server-Side Request Forgery (SSRF) in Spring Spring Web Services
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
AI Analysis
Technical Summary
CVE-2026-40999 is a high-severity SSRF vulnerability in Spring Web Services. When WS-Addressing is configured with non-anonymous ReplyTo or FaultTo addresses, the framework may make outbound connections through WebServiceMessageSender instances to endpoints directly derived from request headers. These destinations are not validated for safety, potentially allowing an attacker to cause the server to connect to arbitrary internal or external systems. The affected versions include Spring Web Services 3.1.0 through 3.1.8, 4.0.0 through 4.0.18, 4.1.0 through 4.1.3, and 5.0.0 through 5.0.1. No vendor advisory or patch information is provided in the data, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation could allow an unauthenticated attacker to induce the vulnerable Spring Web Services instance to make network requests to arbitrary destinations. This can lead to information disclosure or interaction with internal systems that are otherwise inaccessible, impacting confidentiality. The CVSS score is 8.6 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a confidentiality impact only.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, carefully review and restrict the use of WS-Addressing with non-anonymous ReplyTo or FaultTo addresses. Avoid accepting untrusted input for these headers or implement strict validation of outbound destinations in WebServiceMessageSender configurations.
CVE-2026-40999: CWE-918: Server-Side Request Forgery (SSRF) in Spring Spring Web Services
Description
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
CVSS v3.1
Score 8.6high
Affected software
pkg:maven/org.springframework.ws/spring-ws-coreRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40999 is a high-severity SSRF vulnerability in Spring Web Services. When WS-Addressing is configured with non-anonymous ReplyTo or FaultTo addresses, the framework may make outbound connections through WebServiceMessageSender instances to endpoints directly derived from request headers. These destinations are not validated for safety, potentially allowing an attacker to cause the server to connect to arbitrary internal or external systems. The affected versions include Spring Web Services 3.1.0 through 3.1.8, 4.0.0 through 4.0.18, 4.1.0 through 4.1.3, and 5.0.0 through 5.0.1. No vendor advisory or patch information is provided in the data, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation could allow an unauthenticated attacker to induce the vulnerable Spring Web Services instance to make network requests to arbitrary destinations. This can lead to information disclosure or interaction with internal systems that are otherwise inaccessible, impacting confidentiality. The CVSS score is 8.6 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a confidentiality impact only.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, carefully review and restrict the use of WS-Addressing with non-anonymous ReplyTo or FaultTo addresses. Avoid accepting untrusted input for these headers or implement strict validation of outbound destinations in WebServiceMessageSender configurations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:19:12.970Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2a59ba318757064921d3bc
Added to database: 6/11/2026, 6:46:18 AM
Last enriched: 6/11/2026, 7:00:56 AM
Last updated: 6/11/2026, 10:38:33 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.