Use of RSA Algorithm without OAEP Affecting org.springframework.ws:spring-ws-security package, versions [,4.1.4)[5.0.0-M1,5.0.2)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORKWS-17320523
- published12 Jun 2026
- disclosed10 Jun 2026
- creditUnknown
Introduced: 10 Jun 2026
NewCVE-2026-40996 (opens in a new tab)How to fix?
Upgrade org.springframework.ws:spring-ws-security to version 4.1.4, 5.0.2 or higher.
Overview
Affected versions of this package are vulnerable to Use of RSA Algorithm without OAEP via the Wss4jSecurityInterceptor class, in the Wss4jSecurityInterceptor.java file due to defaulting allowRSA15KeyTransportAlgorithm to true when building the validation RequestData. This overrides Apache WSS4J's safer default, so inbound WS-Security decryption accepts EncryptedKey elements that wrap the symmetric key with the legacy RSA PKCS#1 v1.5 (rsa-1_5) key-transport algorithm instead of requiring RSA-OAEP. An attacker who can capture encrypted SOAP messages and submit modified ciphertexts to the endpoint can use the server's responses as a Bleichenbacher padding oracle to recover the message encryption key, defeating the confidentiality and integrity of WS-Security-protected traffic.
Note:
This is only exploitable if the attacker has a network position from which to intercept WS-Security traffic, and exploitation depends on peers actually negotiating RSA v1.5 key transport.
Workaround
This can be mitigated by calling setAllowRSA15KeyTransportAlgorithm(false) on the Wss4jSecurityInterceptor bean to reject RSA PKCS#1 v1.5 key transport on inbound messages.