{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41000", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:19:12.970Z", "datePublished": "2026-06-11T05:04:24.413Z", "dateUpdated": "2026-06-23T19:53:11.880Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T19:53:11.880Z"}, "title": "WSS4J validation does not use configured replay cache", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-294", "description": "CWE-294: Authentication Bypass by Capture-replay", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Attackers can re-submit still-valid cryptographic material within the acceptance window because WSS4J ReplayCache instances are not consistently wired into RequestData for validation-time checks even when configured."}]}], "affected": [{"vendor": "Spring", "product": "Spring Web Services", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.0.1.1", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.3.1", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.19", "versionType": "custom"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.9", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."}]}], "references": [{"url": "https://spring.io/security/cve-2026-41000"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-11T15:13:14.068411Z", "id": "CVE-2026-41000", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T16:13:44.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41000", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-11T15:13:14.068411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T15:13:18.609Z"}}], "cna": {"title": "WSS4J validation does not use configured replay cache", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Attackers can re-submit still-valid cryptographic material within the acceptance window because WSS4J ReplayCache instances are not consistently wired into RequestData for validation-time checks even when configured."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Web Services", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.0.1.1", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.3.1", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.19", "versionType": "custom"}, {"status": "affected", "version": "3.1.0", "lessThan": "3.1.9", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-41000"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.", "supportingMedia": [{"type": "text/html", "value": "Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-294", "description": "CWE-294: Authentication Bypass by Capture-replay"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T19:53:11.880Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41000", "state": "PUBLISHED", "dateUpdated": "2026-06-23T19:53:11.880Z", "dateReserved": "2026-04-16T02:19:12.970Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-06-11T05:04:24.413Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."}], "id": "CVE-2026-41000", "lastModified": "2026-06-11T15:21:30.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-06-11T07:16:28.037", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-41000"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Web Services: Spring Web Services: Replay protection bypass due to improper cache integration", "id": "2487804", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487804"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-294", "details": ["Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor.\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.", "A flaw was found in Spring Web Services. The security interceptor in the affected component did not properly integrate replay cache mechanisms. This vulnerability could allow a remote attacker to bypass replay protections for security tokens, such as UsernameToken nonces and SAML one-time-use elements. The consequence is a low integrity impact, where an attacker might be able to reuse tokens for unauthorized actions."], "mitigation": {"lang": "en:us", "value": "Ensure all SOAP endpoints using Spring Web Services WS-Security are accessed exclusively over TLS. This prevents attackers from capturing valid SOAP messages in transit, which is a prerequisite for exploiting the replay cache bypass. Additionally, reduce the WSS4J timestamp acceptance window (timeToLive) from the default 300 seconds to the minimum value the application can tolerate, limiting the replay window for any messages that may be intercepted through other means."}, "name": "CVE-2026-41000", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-ws-security", "product_name": "Red Hat Fuse 7"}], "public_date": "2026-06-11T05:04:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41000\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41000\nhttps://spring.io/security/cve-2026-41000"], "statement": "Red Hat rates this vulnerability as Low impact with a CVSS score of 3.7, consistent with the upstream assessment. Attack Complexity is High (AC:H) because the attacker must first capture a valid SOAP message in transit and then replay it within the token acceptance window, which defaults to 300 seconds. Impact is limited to integrity (I:L), as a replayed message can only repeat an already-authorized operation with no effect on confidentiality or availability. Red Hat products that ship spring-ws-security, where the vulnerable Wss4jSecurityInterceptor resides, are limited to Red Hat Fuse 7. In Fuse deployments, this risk is further reduced when services enforce TLS for all SOAP endpoints, preventing the message capture that exploitation depends on.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,4.1.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.1.0,3.1.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Web Services", "source": "cna", "vendor": "Spring"}, "product": "spring_web_services", "vendor": "spring"}], "created": "2026-06-11T07:30:08.607632+00:00", "updated": "2026-06-11T10:40:14.238990+00:00", "vendors": ["spring", "spring$PRODUCT$spring_web_services"]}