CVE-2026-41000

Published Jun 11, 2026

Last updated 3 days ago

CVSS low 3.7

Overview

Description
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Source
security@vmware.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.7
Impact score
1.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Severity
LOW

Weaknesses

security@vmware.com
CWE-294

Social media

Hype score
Not currently trending

  1. 🚨*CVE* CVE-2026-41000 Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against re… https://t.co/mREkFXysrg ----- Traducción: CVE-2026-41000 Wss… https://t.co/utmtNg

    @infoflowcloud

    11 Jun 2026

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.