Spring Web Services BSP Compliance Bypass in Security Validation

CVE-2026-40994 affects Spring Web Services across multiple versions (3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) by disabling WS-I Basic Security Profile (BSP) enforcement during inbound message validation. The Wss4jSecurityInterceptor component initializes its BSP compliance flag in a way that allows RequestData to bypass critical protocol-level security checks. This is particularly dangerous because WS-Security messages that violate BSP rules—which exist to prevent weaknesses in XML signature and encryption implementations—are accepted as valid. Organizations running affected versions of Spring Web Services that rely on WS-Security for SOAP message protection now have a false sense of security, as malformed or protocol-violating messages can penetrate their defenses.

While Casky.ai currently shows zero matching skills directly mapped to this CVE, the underlying attack pattern involves protocol manipulation and security control bypass—detection would focus on identifying anomalies in WS-Security message validation patterns and configuration states. Practitioners using Casky's extended reasoning capabilities would need to look for indicators such as: RequestData objects with BSP enforcement disabled in logs, acceptance of WS-Security messages that should fail BSP validation rules, unusual XML signature or encryption patterns in SOAP traffic that violate WS-I specifications, and unexpected success of messages containing cryptographic or structural violations. Security teams should treat this as a control bypass vulnerability requiring immediate patching and manual review of message validation logs to identify whether non-compliant messages were processed during the vulnerable period.