Spring Web Services3.1.9
Facilitates the development of contract-first SOAP web services.
Changelog
🐞 Bug Fixes
- AddressingEndpointInterceptor silently returns in-band response when out-of-band delivery fails
- CVE-2026-41000: UsernameToken nonce/timestamp replay cache never configured
- CVE-2026-40999: SSRF via WS-Addressing ReplyTo/FaultTo out-of-band reply
- CVE-2026-40998: XXE via unhardened XPath.evaluate(InputSource) in Jaxp13XPathTemplate
- CVE-2026-40997: Account-status exceptions leak UserDetails and enable enumeration
- CVE-2026-40996: RSA PKCS#1 v1.5 key transport enabled by default
- CVE-2026-40995: X509AuthenticationProvider ignores UserDetails disabled/locked/expired accounts
- CVE-2026-40994: BSP enforcement disabled by default
- The default version of Spring Security is no longer supported
🔨 Dependency Upgrades
- Upgrade to Javax Mail 1.6.2
- Upgrade to Javax Mail API 1.6.2
- Upgrade to Spring Framework 5.3.49
- Upgrade to Spring Security 5.7.24
- Upgrade to WSS4J 2.4.3
- Upgrade to Xmlsec 2.3.5
- Upgrade to XmlUnit 2.9.1
Get Started with Tanzu Spring today