Spring Web Services5.0.1.1

Facilitates the development of contract-first SOAP web services.

Changelog

🐞 Bug Fixes

  • CVE-2026-40994: BSP enforcement disabled by default
  • CVE-2026-40995: X509AuthenticationProvider ignores UserDetails disabled/locked/expired accounts
  • CVE-2026-40996: RSA PKCS#1 v1.5 key transport enabled by default
  • CVE-2026-40997: Account-status exceptions leak UserDetails and enable enumeration
  • CVE-2026-40998: XXE via unhardened XPath.evaluate(InputSource) in Jaxp13XPathTemplate
  • CVE-2026-40999: SSRF via WS-Addressing ReplyTo/FaultTo out-of-band reply
  • CVE-2026-41000: UsernameToken nonce/timestamp replay cache never configured
  • AddressingEndpointInterceptor silently returns in-band response when out-of-band delivery fails

🔨 Dependency Upgrades

  • Upgrade to Spring Framework 7.0.7.1
  • Upgrade to Spring Security 7.0.5.1
Get Started with Tanzu Spring today