Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource
Description
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK’s default DocumentBuilderFactory behavior instead of Spring’s hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks, including confidential file disclosure or server-side request forgery through external entities, depending on parser and platform behavior.
Preconditions include exposing XPath evaluation over data controlled or influenced by remote users (directly or through message paths), using the vulnerable source types without an additional hardening layer.
Affected Spring Products and Versions
Spring Web Services:
- 5.0.0 - 5.0.1
- 4.1.0 - 4.1.3
- 4.0.0 - 4.0.18
- 3.1.0 - 3.1.8
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.0.x | 5.0.2 | OSS |
| 5.0.1.1 | Enterprise Support Only | |
| 4.1.x | 4.1.4 | OSS |
| 4.1.3.1 | Enterprise Support Only | |
| 4.0.x | 4.0.19 | Enterprise Support Only |
| 3.1.x | 3.1.9 | Enterprise Support Only |
No further mitigation steps are necessary.
References
History
- 2026-06-10: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all