MEDIUM | JUNE 09, 2026 | CVE-2026-40993
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or…
HIGH | JUNE 09, 2026 | CVE-2026-41003
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected Spring Products and Versions Spring Security: 5.7.0 - 5.7.23 5.8.0 - 5.8.25 6.3.0 - 6.…
LOW | JUNE 09, 2026 | CVE-2026-41694
Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption…
MEDIUM | JUNE 09, 2026 | CVE-2026-41008
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated…
MEDIUM | JUNE 09, 2026 | CVE-2026-41706
Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the…
MEDIUM | JUNE 09, 2026 | CVE-2026-47838
This CVE is a continuation of CVE-2026-22747, which addressed this same issue for Spring Security 7.0.x. SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong…
MEDIUM | JUNE 09, 2026 | CVE-2026-41726
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError…
MEDIUM | JUNE 09, 2026 | CVE-2026-41727
Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them.
A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause…
HIGH | JUNE 09, 2026 | CVE-2026-41732
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages.
Additionally, an empty trusted-packages configuration fell back to trusting all…
HIGH | JUNE 09, 2026 | CVE-2026-41731
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean…
