Security Advisory - Published 2026-06-11 - Spring Web Services
Spring Web Services CVE-2026-40998: XPath XXE self-check
CVE-2026-40998 affects Spring Web Services applications that evaluate XPath over untrusted XML through Jaxp13XPathTemplate with StreamSource or SAXSource inputs. The practical question is simple: can a remote user, partner feed, or message queue submit XML that reaches this XPath path?
Affected versions
| Spring Web Services line | Affected versions | OSS fix listed by Spring |
|---|---|---|
| 5.0.x | 5.0.0 through 5.0.1 | 5.0.2 |
| 4.1.x | 4.1.0 through 4.1.3 | 4.1.4 |
| 4.0.x | 4.0.0 through 4.0.18 | 4.0.19 |
| 3.1.x | 3.1.0 through 3.1.8 | 3.1.9 |
10-minute self-check
Find the dependency
mvn dependency:tree | grep -i spring-ws
./gradlew dependencies --configuration runtimeClasspath | grep -i spring-ws Search for risky XPath and source usage
grep -Rni "Jaxp13XPathTemplate\\|StreamSource\\|SAXSource\\|XPathExpression" src 2>/dev/null | head -120 A vulnerable version matters most when user-controlled XML reaches the XPath evaluation path. SOAP services, XML upload endpoints, partner feeds, and queue consumers deserve the first review.
Safe fix path
- Upgrade Spring Web Services to the fixed line that matches your application.
- Confirm the resolved runtime dependency after the build, not just the parent BOM.
- Review XML entry points and disable external entity resolution in any custom parser code.
- Watch application logs for XML parser errors, SSRF-like outbound requests, and unexpected file access warnings.
Ping7 repair path
Ping7 can review dependency trees, XML entry points, parser configuration, and upgrade testing for owned or client-approved applications. Start from CVE Repair and include your Spring Web Services version, framework line, and how XML enters the app.