Security Advisory - Published 2026-06-11 - Spring Web Services

Spring Web Services CVE-2026-40998: XPath XXE self-check

CVE-2026-40998 affects Spring Web Services applications that evaluate XPath over untrusted XML through Jaxp13XPathTemplate with StreamSource or SAXSource inputs. The practical question is simple: can a remote user, partner feed, or message queue submit XML that reaches this XPath path?

Defensive scope: this page covers dependency versions, code search, input-flow review, and patching. It does not include XML entity samples or SSRF/file disclosure reproduction steps.

Affected versions

Spring Web Services lineAffected versionsOSS fix listed by Spring
5.0.x5.0.0 through 5.0.15.0.2
4.1.x4.1.0 through 4.1.34.1.4
4.0.x4.0.0 through 4.0.184.0.19
3.1.x3.1.0 through 3.1.83.1.9

10-minute self-check

Find the dependency

mvn dependency:tree | grep -i spring-ws
./gradlew dependencies --configuration runtimeClasspath | grep -i spring-ws

Search for risky XPath and source usage

grep -Rni "Jaxp13XPathTemplate\\|StreamSource\\|SAXSource\\|XPathExpression" src 2>/dev/null | head -120

A vulnerable version matters most when user-controlled XML reaches the XPath evaluation path. SOAP services, XML upload endpoints, partner feeds, and queue consumers deserve the first review.

Safe fix path

  1. Upgrade Spring Web Services to the fixed line that matches your application.
  2. Confirm the resolved runtime dependency after the build, not just the parent BOM.
  3. Review XML entry points and disable external entity resolution in any custom parser code.
  4. Watch application logs for XML parser errors, SSRF-like outbound requests, and unexpected file access warnings.

Ping7 repair path

Ping7 can review dependency trees, XML entry points, parser configuration, and upgrade testing for owned or client-approved applications. Start from CVE Repair and include your Spring Web Services version, framework line, and how XML enters the app.

References