CVE-2026-41694

Published: Jun 10, 2026Modified: Jun 12, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Affected (6)

Products: Vmware: Spring Security

Vmware

1 product

Spring Security

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Security	From 5.7.0 to 5.7.24
Vmware Spring Security	From 5.8.0 to 5.8.26
Vmware Spring Security	From 6.3.0 to 6.3.17
Vmware Spring Security	From 6.4.0 to 6.4.17
Vmware Spring Security	From 6.5.0 to 6.5.11
Vmware Spring Security	From 7.0.0 to 7.0.6

Related CWEs

CWE-347

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (1)

https://spring.io/security/cve-2026-41694

Source: security@vmware.com

Vendor Advisory

Timeline

No history available yet.