HIGH | JUNE 09, 2026 | CVE-2026-41003
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected Spring Products and Versions Spring Security: 5.7.0 - 5.7.23 5.8.0 - 5.8.25 6.3.0 - 6.…
MEDIUM | JUNE 09, 2026 | CVE-2026-40988
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected…
LOW | JUNE 09, 2026 | CVE-2026-41694
Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption…
MEDIUM | JUNE 09, 2026 | CVE-2026-41706
Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the…
MEDIUM | JUNE 09, 2026 | CVE-2026-41008
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated…
MEDIUM | JUNE 09, 2026 | CVE-2026-47838
This CVE is a continuation of CVE-2026-22747, which addressed this same issue for Spring Security 7.0.x. SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong…
MEDIUM | JUNE 09, 2026 | CVE-2026-41726
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError…
HIGH | JUNE 09, 2026 | CVE-2026-41731
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean…
HIGH | JUNE 09, 2026 | CVE-2026-41732
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages.
Additionally, an empty trusted-packages configuration fell back to trusting all…
MEDIUM | JUNE 09, 2026 | CVE-2026-41727
Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them.
A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause…
