CVE-2026-40994
8.2 HIGHWss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP ...
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 8.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
- CWE
- CWE-1188
Description
Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-54359 — MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled
- CVE-2026-44892 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
- CVE-2026-46517 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
- CVE-2026-36616 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS... (5.9 MEDIUM)
- CVE-2026-36612 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 1... (6.4 MEDIUM)