CVE-2026-40988: Spring Security SAML2 Denial of Service via Unbounded Decompression
Spring Security's SAML 2.0 login and logout functionality has a flaw in how it handles compressed SAML messages sent via the REDIRECT binding. An attacker can send a specially crafted compressed payload that, when decompressed by the application, consumes excessive memory and causes the application to become unavailable. This is a denial-of-service attack that requires no authentication and can be triggered remotely by anyone with network access to the affected application.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in spring-security-saml2-service-provider's handling of REDIRECT binding SAML messages. The SAML 2.0 specification permits message compression via DEFLATE encoding. The affected Spring Security versions implement decompression without proper bounds checking on the output size, allowing an attacker to construct a small compressed payload that expands to enormous size in memory. This unbounded writer pattern leads to memory exhaustion and denial of service. The issue is specific to the REDIRECT binding; POST binding is not affected.
Business impact
Applications relying on Spring Security for SAML 2.0 single sign-on are at risk of availability loss. An attacker can render the authentication service unavailable without compromising data confidentiality or integrity. For organizations using SAML-based identity federation, this can prevent legitimate users from logging in, disrupting business operations. The attack requires no special privileges and can be executed repeatedly with minimal effort, making it an attractive vector for availability-focused attacks.
Affected systems
VMware Spring Security versions 5.7.0–5.7.23, 5.8.0–5.8.25, 6.3.0–6.3.16, 6.4.0–6.4.16, 6.5.0–6.5.10, and 7.0.0–7.0.5 are vulnerable. Any application that uses the spring-security-saml2-service-provider library with REDIRECT binding enabled for login or logout flows is at risk. This includes applications on Java 8 and later that integrate SAML 2.0 authentication.
Exploitability
Exploitation is straightforward and requires no authentication or user interaction. An attacker simply needs network access to the SAML endpoint and the ability to send HTTP requests with malicious compressed SAML payloads. The attack is not complex and can be automated. However, it is not currently known to be actively exploited in the wild, and no public exploit code is available. The vulnerability requires the REDIRECT binding to be in use; applications using only POST binding are not vulnerable.
Remediation
Upgrade Spring Security to a patched version immediately. Verify the vendor advisory for exact patch version numbers applicable to your deployment. As a temporary mitigation pending patching, configure network-level rate limiting or Web Application Firewall rules to restrict SAML authentication requests from untrusted sources, though this is not a substitute for patching. Monitor application memory usage and availability metrics for signs of compression bomb attacks.
Patch guidance
Apply the latest patched version of Spring Security corresponding to your currently deployed branch. Organizations on 5.7.x should upgrade to 5.7.24 or later, 5.8.x to 5.8.26 or later, 6.3.x to 6.3.17 or later, 6.4.x to 6.4.17 or later, 6.5.x to 6.5.11 or later, and 7.0.x to 7.0.6 or later (verify against the official Spring Security advisory for exact version availability and timeline). Patching should be treated as urgent given the high CVSS score and ease of exploitation.
Detection guidance
Monitor for sudden spikes in memory consumption or garbage collection activity correlated with SAML authentication requests. Log and alert on HTTP requests to SAML endpoints with unusually large compressed payloads or those containing deflate-encoded data. Review Web Application Firewall logs for repeated failed decompression attempts. Network-based intrusion detection may flag requests with compression ratios indicating potential zip bomb or compression bomb patterns, though SAML payloads may legitimately vary in size.
Why prioritize this
This vulnerability scores 7.5 (HIGH) due to its network-accessible attack vector, low complexity, and high availability impact. Although it does not affect confidentiality or integrity, denial of service against authentication services is a critical business risk. The ease of exploitation and lack of authentication requirements elevate priority further. Organizations should patch within days, not weeks.
Risk score, explained
CVSS 3.1 score of 7.5 reflects: Attack Vector Network (0.85), Attack Complexity Low (0.77), Privileges Required None (0.85), User Interaction None (0.85), and Availability Impact High (1.0). Confidentiality and Integrity impact are None (0.0). This results in a base score of 7.5, indicating a significant but non-critical vulnerability. The absence of data breach risk prevents a 9.0+ rating, but the ease of attack and business impact of authentication unavailability justify HIGH severity.
Frequently asked questions
Does this vulnerability affect SAML POST binding?
No. The vulnerability is specific to the REDIRECT binding, which encodes SAML messages in the URL query string and can apply compression. POST binding transmits SAML messages in the request body and is not affected by this decompression flaw.
Can this be exploited without network access to the SAML endpoint?
No. The attacker must be able to send HTTP requests to the SAML authentication endpoint. However, this is typically a public-facing service, so network access is not a significant barrier in most deployments.
What versions of Java are affected?
The vulnerability affects all supported Java versions (8 and later) that run Spring Security. The issue is in the Spring library itself, not in the Java runtime, so the Java version does not determine exploitability.
Is patching the only mitigation?
Patching is the primary and recommended mitigation. Temporary mitigations such as WAF-based rate limiting or network segmentation can reduce attack surface but do not fix the underlying unbounded decompression issue. These should be considered temporary measures only.
This analysis is based on information available as of the publication date and should not be considered a substitute for vendor advisories or professional security assessment. CVSS scores and affected version ranges are derived from official vulnerability databases. Organizations should verify patch availability and compatibility with their specific deployments before applying updates. No proof-of-concept or exploit code is discussed or provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41842HIGHSpring Framework DoS Vulnerability in Static Resource Resolution
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2025-52293HIGHGPAC MP4Box HEVC Parser Denial of Service (CVSS 7.5)
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-10143HIGHkafka-python SCRAM DoS – Event Loop Freeze Vulnerability
- CVE-2026-34713HIGHAdobe CAI Content Credentials Denial-of-Service Vulnerability
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass