Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-40993: Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry
Description
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).
This may allow an attacker to hence execute code remotely on the server reading these rows in the database.
Affected Spring Products and Versions
Spring Security:
- 7.0.0 - 7.0.5
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 7.0.x | 7.0.6 | OSS |
In the event that this upgrade causes you trouble, please look for TRACE logs detailing why deserialization is failing.
These messages are from JdbcAssertingPartyMetadataRepository and begin with:
Failed to deserialize due to ...
In the event that an adjustment is needed, you can set a custom deserializer with AssertingPartyMetadataRowMapper#setCredentialsDeserializer.
References
History
- 2026-06-09: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all