CVE-2026-40997
MEDIUMDescription
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Is your site exposed to CVE-2026-40997?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-40997? +
How severe is CVE-2026-40997? +
How do I check if I'm vulnerable to CVE-2026-40997? +
Related Vulnerabilities
A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google …
User enumeration vulnerability in M3M Printer Server Web. This issue occurs during user authentication, where a difference in error messages …
The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected …
Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not …
A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When …
In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting …