CVE-2026-40995
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken for a certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks.
Risk Assessment
The organization may be exposed to unauthorized access as accounts could be active despite being disabled, locked, expired, or having expired credentials.
Recommendation
It is recommended to update to the latest version of Spring Web Services to ensure proper application of account lifecycle checks.
Original NVD description (English source)
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

