Spring Web Services4.0.19

Facilitates the development of contract-first SOAP web services.

Changelog

🐞 Bug Fixes

  • AddressingEndpointInterceptor silently returns in-band response when out-of-band delivery fails
  • CVE-2026-41000: UsernameToken nonce/timestamp replay cache never configured
  • CVE-2026-40999: SSRF via WS-Addressing ReplyTo/FaultTo out-of-band reply
  • CVE-2026-40998: XXE via unhardened XPath.evaluate(InputSource) in Jaxp13XPathTemplate
  • CVE-2026-40997: Account-status exceptions leak UserDetails and enable enumeration
  • CVE-2026-40996: RSA PKCS#1 v1.5 key transport enabled by default
  • CVE-2026-40995: X509AuthenticationProvider ignores UserDetails disabled/locked/expired accounts
  • CVE-2026-40994: BSP enforcement disabled by default

🔨 Dependency Upgrades

  • Upgrade to Spring Framework 6.2.18.1
  • Upgrade to Spring Security 6.4.17
Get Started with Tanzu Spring today