Spring Web Services5.0.1.1
Facilitates the development of contract-first SOAP web services.
Changelog
🐞 Bug Fixes
- CVE-2026-40994: BSP enforcement disabled by default
- CVE-2026-40995: X509AuthenticationProvider ignores UserDetails disabled/locked/expired accounts
- CVE-2026-40996: RSA PKCS#1 v1.5 key transport enabled by default
- CVE-2026-40997: Account-status exceptions leak UserDetails and enable enumeration
- CVE-2026-40998: XXE via unhardened XPath.evaluate(InputSource) in Jaxp13XPathTemplate
- CVE-2026-40999: SSRF via WS-Addressing ReplyTo/FaultTo out-of-band reply
- CVE-2026-41000: UsernameToken nonce/timestamp replay cache never configured
- AddressingEndpointInterceptor silently returns in-band response when out-of-band delivery fails
🔨 Dependency Upgrades
- Upgrade to Spring Framework 7.0.7.1
- Upgrade to Spring Security 7.0.5.1
Get Started with Tanzu Spring today