Spring Web Services3.1.9

Facilitates the development of contract-first SOAP web services.

Changelog

🐞 Bug Fixes

  • AddressingEndpointInterceptor silently returns in-band response when out-of-band delivery fails
  • CVE-2026-41000: UsernameToken nonce/timestamp replay cache never configured
  • CVE-2026-40999: SSRF via WS-Addressing ReplyTo/FaultTo out-of-band reply
  • CVE-2026-40998: XXE via unhardened XPath.evaluate(InputSource) in Jaxp13XPathTemplate
  • CVE-2026-40997: Account-status exceptions leak UserDetails and enable enumeration
  • CVE-2026-40996: RSA PKCS#1 v1.5 key transport enabled by default
  • CVE-2026-40995: X509AuthenticationProvider ignores UserDetails disabled/locked/expired accounts
  • CVE-2026-40994: BSP enforcement disabled by default
  • The default version of Spring Security is no longer supported

🔨 Dependency Upgrades

  • Upgrade to Javax Mail 1.6.2
  • Upgrade to Javax Mail API 1.6.2
  • Upgrade to Spring Framework 5.3.49
  • Upgrade to Spring Security 5.7.24
  • Upgrade to WSS4J 2.4.3
  • Upgrade to Xmlsec 2.3.5
  • Upgrade to XmlUnit 2.9.1
Get Started with Tanzu Spring today