CVE-2026-41000
3.7 LOWWss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-294
Description
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49322 — Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-... (4.3 MEDIUM)
- CVE-2026-9095 — Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection (8.1 HIGH)
- CVE-2026-46538 — Microsoft UFO open-source framework for intelligent automation across devices and platforms (5.9 MEDIUM)
- CVE-2026-9398 — A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426 (3.1 LOW)
- CVE-2026-37982 — A flaw was found in Keycloak (6.8 MEDIUM)