On behalf of the team and everyone who has contributed, I'm happy to announce that Spring Web Services 5.0.2 and 4.1.4 have been released and are now available from Maven Central.

Spring Web Services 5.0.2 includes 13 bug fixes, documentation improvements, and dependency upgrades.

Spring Web Services 4.1.4 includes 13 bug fixes, documentation improvements, and dependency upgrades.

Thanks to all those who have contributed with issue reports and pull requests.

CVE reports

These releases address the following CVEs:

• CVE-2026-40994 "BSP enforcement disabled by default"
• CVE-2026-40995 "X509AuthenticationProvider ignores UserDetails disabled/locked/expired accounts"
• CVE-2026-40996 "RSA PKCS#1 v1.5 key transport enabled by default"
• CVE-2026-40997 "Account-status exceptions leak UserDetails and enable enumeration"
• CVE-2026-40998 "XXE via unhardened XPath.evaluate(InputSource) in Jaxp13XPathTemplate"
• CVE-2026-40999 "SSRF via WS-Addressing ReplyTo/FaultTo out-of-band reply"
• CVE-2026-41000 "UsernameToken nonce/timestamp replay cache never configured"

How can you help?

If you're interested in helping out, check out the "ideal for contribution" tag in the issue repository. If you have general questions, please ask on stackoverflow.com using the spring-ws tag.

Project Page | GitHub | Issues | Documentation | Stack Overflow