Spring WS SSRF via unvalidated WS-Addressing reply destinations
CVE-2026-40999

8.6HIGH

Key Information:

Vendor: Spring
Status: Spring Web Services
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-40999?

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Affected Version(s)

Spring Web Services 5.0.0 < 5.0.2

Spring Web Services 4.1.0 < 4.1.4

Spring Web Services 4.0.0 < 4.0.19

References

https://spring.io/security/cve-2026-40999

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40999 Data

JSON