Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-40994: Wss4jSecurityInterceptor disables WS-I BSP validation by default
Description
Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData, contradicting the intended secure default and published setter contract. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules around signatures and related constructs, weakening protocol-level checks that are meant to constrain interoperable, safe use of WS-Security.
Preconditions include use of Wss4jSecurityInterceptor (or equivalent wiring) for inbound validation without explicitly enabling BSP compliance.
Affected Spring Products and Versions
Spring Web Services:
- 5.0.0 - 5.0.1
- 4.1.0 - 4.1.3
- 4.0.0 - 4.0.18
- 3.1.0 - 3.1.8
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.0.x | 5.0.2 | OSS |
| 5.0.1.1 | Enterprise Support Only | |
| 4.1.x | 4.1.4 | OSS |
| 4.1.3.1 | Enterprise Support Only | |
| 4.0.x | 4.0.19 | Enterprise Support Only |
| 3.1.x | 3.1.9 | Enterprise Support Only |
If you are not able to upgrade, you can enable BSP compliance explicitly by calling the setBspCompliant setter method with true as argument.
References
History
- 2026-06-10: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all