CVE Catalog

CVE-2026-40995

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken for a certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks.

Risk Assessment

The organization may be exposed to unauthorized access as accounts could be active despite being disabled, locked, expired, or having expired credentials.

Recommendation

It is recommended to update to the latest version of Spring Web Services to ensure proper application of account lifecycle checks.

Original NVD description (English source)

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS