CVE-2026-40996

Published: Giu 11, 2026 Last Modified: Giu 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,8

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: low

Availability: none

Description

AI Translation Available

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag.

Affected versions:
Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0002

Percentile

0,1th

Updated

EPSS Score Trend (Last 7 Days)

327

Use of a Broken or Risky Cryptographic Algorithm

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Accountability Non-Repudiation

Potential Impacts:

Read Application Data Modify Application Data Hide Activities

Applicable Platforms

Languages: Not Language-Specific, Verilog, VHDL

Technologies: Not Technology-Specific, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://spring.io/security/cve-2026-40996

CVE-2026-40996

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 7 Days)

Use of a Broken or Risky Cryptographic Algorithm

Common Consequences

Applicable Platforms

Iscriviti alla newsletter