Spring Ecosystem Security Advisory: 8 New Vulnerabilities Across Spring Integration, Web Services, Web Flow, and Boot (June 2026)

nick

Spring Ecosystem Security Advisory: 8 New Vulnerabilities Across Spring Integration, Web Services, Web Flow, and Boot (June 2026)

by

VMware Tanzu has published a coordinated security advisory covering eight new vulnerabilities across multiple Spring ecosystem modules. The affected projects include Spring Integration (1 CVE), Spring Web Services (4 CVEs), Spring Web Flow (2 CVEs), and Spring Boot (1 CVE). The vulnerabilities span arbitrary file writes, authentication and signature bypasses, expression language injection, cross-site scripting, hostname verification weaknesses, weak cryptographic defaults, and replay attack exposures. The most severe is CVE-2026-40994 (CVSS 8.2) in Spring Web Services, allowing signature verification bypass via malicious BSP assertions. All users of affected modules are advised to upgrade to the latest maintenance releases immediately.

Spring Integration

CVE-2026-40987 (CVSS 7.1) — Arbitrary File Write via FTP Session Factory

Spring Integration’s FTP/SFTP adapters support configurable session factories for inbound and outbound file transfers. A flaw in the FTP session factory component allows an attacker with control over integration flow configuration or message content to manipulate file write paths, potentially writing arbitrary files to locations outside the intended directory. This can lead to remote code execution if an attacker places a malicious JSP, script, or executable in a web-accessible or auto-executed location.

Fix: Upgrade to Spring Integration 6.3.6 or 6.4.2.

Spring Web Services

Four vulnerabilities were identified in Spring Web Services, primarily affecting WS-Security (WSS4J) and XML signature processing:

CVE-2026-40994 (CVSS 8.2) — BSP Signature Bypass: A flaw in Basic Security Profile (BSP) compliant signature verification allows an attacker to craft a malicious SOAP message whose signature appears valid despite containing forged assertions. This can bypass authentication and integrity controls in BSP-configured endpoints.

CVE-2026-40995 (CVSS 7.5) — X.509 Certificate Validation Bypass: The X.509 certificate-based signature verification in certain WS-Security configurations does not properly validate the full certificate chain or trust anchor. An attacker with a certificate from any CA trusted by the server’s truststore may bypass endpoint authentication.

CVE-2026-40996 (CVSS 5.9) — RSA 1.5 Padding Default: Spring Web Services enables RSA PKCS#1 v1.5 padding as a default algorithm for XML encryption key transport. This padding scheme is known to be vulnerable to chosen-ciphertext attacks (Bleichenbacher). An attacker with sufficient message oracle access could decrypt session keys over time.

CVE-2026-41000 (CVSS 5.3) — WSS4J Replay Cache Weakness: The WSS4J replay detection cache uses a default configuration that can be bypassed under high message volume, allowing previously captured signed messages to be replayed successfully against the endpoint.

Fix: Upgrade to Spring Web Services 4.1.7 or 4.2.3.

Spring Web Flow

CVE-2026-40985 (CVSS 6.4) — Expression Language Injection: Spring Web Flow evaluates EL expressions during flow execution for view state resolution and flow variable binding. Under certain conditions, an attacker who can influence flow input parameters may inject arbitrary EL expressions that get evaluated server-side, potentially leading to information disclosure or limited code execution within the expression evaluator context.

CVE-2026-40986 (CVSS 5.4) — Cross-Site Scripting (XSS): User-supplied input rendered in flow transition messages and error views is not consistently escaped. An attacker can inject JavaScript that executes in the context of an authenticated user’s browser session, enabling session hijacking or credential theft.

Fix: Upgrade to Spring Web Flow 3.2.2 or 4.0.2.

Spring Boot

CVE-2026-40992 (CVSS 5.3) — Mail Starter Hostname Verification Bypass: The Spring Boot Mail starter auto-configures JavaMailSender with default SMTP properties that do not enforce strict hostname verification during TLS handshakes. Under certain network configurations, this allows a man-in-the-middle attacker with a valid certificate for a different hostname to intercept outbound email traffic, including password reset tokens and other sensitive notifications.

Fix: Upgrade to Spring Boot 3.3.8, 3.4.5, or 3.5.2.

Versions Affected (Consolidated)

  • Spring Integration: 6.3.x prior to 6.3.6, 6.4.x prior to 6.4.2
  • Spring Web Services: 4.1.x prior to 4.1.7, 4.2.x prior to 4.2.3
  • Spring Web Flow: 3.2.x prior to 3.2.2, 4.0.x prior to 4.0.2
  • Spring Boot: 3.3.x prior to 3.3.8, 3.4.x prior to 3.4.5, 3.5.x prior to 3.5.2

Fix (Consolidated)

VMware Tanzu has released patched versions for all affected modules. The recommended upgrade targets are:

Module Fixed Versions
Spring Integration 6.3.6, 6.4.2
Spring Web Services 4.1.7, 4.2.3
Spring Web Flow 3.2.2, 4.0.2
Spring Boot 3.3.8, 3.4.5, 3.5.2

If you use Spring Boot starters that pull in these modules transitively, updating the Spring Boot version (or overriding the managed dependency version) will resolve the corresponding module vulnerabilities.

Recommendations

  1. Patch immediately. CVE-2026-40994 (CVSS 8.2) and CVE-2026-40987 (CVSS 7.1) are the most impactful. Prioritise Spring Web Services and Spring Integration upgrades first.
  2. Audit dependency trees. Even if you do not directly declare Spring Web Services or Spring Web Flow, they may be pulled in transitively by Spring Boot starters or third-party libraries. Use mvn dependency:tree or gradle dependencies to check.
  3. Review WS-Security configuration. For Spring Web Services deployments using WS-Security, verify that RSA-OAEP is enforced for key transport and that replay cache configurations have adequate capacity.
  4. Restrict expression evaluation. For Spring Web Flow applications, limit EL expression features to the minimum necessary scope and validate all flow input parameters against allow-lists.
  5. Enforce SMTP hostname verification. For Spring Boot Mail users, explicitly set spring.mail.properties.mail.smtp.ssl.checkserveridentity=true even after upgrading, as a defense-in-depth measure.
  6. Monitor for exploitation. Review application logs for unusual file write paths (Spring Integration), malformed SOAP signatures (Spring WS), and unexpected EL evaluation errors (Spring Web Flow).

References

Series Disclaimer: This advisory is part of Threat Modeling’s ongoing vulnerability intelligence series. CVE information is sourced from public NVD listings and vendor advisories. CVSS scores reflect the base score as published at the time of writing. Always consult official vendor bulletins and perform your own risk assessment before applying patches to production systems.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!