Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-40995: X.509 authentication bypasses Spring Security account checks
Description
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security’s standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). That behavior applied to users resolved from X509AuthoritiesPopulator and to cached entries, so accounts that should be rejected could still authenticate when mutual TLS or certificate-based SOAP authentication was in use.
Preconditions include certificate-based authentication wired through Spring WS X.509 integration with Spring Security, and user records in a non-active security state that should not authenticate.
Affected Spring Products and Versions
Spring Web Services:
- 5.0.0 - 5.0.1
- 4.1.0 - 4.1.3
- 4.0.0 - 4.0.18
- 3.1.0 - 3.1.8
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.0.x | 5.0.2 | OSS |
| 5.0.1.1 | Enterprise Support Only | |
| 4.1.x | 4.1.4 | OSS |
| 4.1.3.1 | Enterprise Support Only | |
| 4.0.x | 4.0.19 | Enterprise Support Only |
| 3.1.x | 3.1.9 | Enterprise Support Only |
No further mitigation steps are necessary.
References
History
- 2026-06-10: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all