CVE-2026-40993: Spring Security SAML Metadata Deserialization RCE
Spring Security versions 7.0.0 through 7.0.5 contain a deserialization vulnerability in how they manage SAML metadata. An attacker who has write access to specific database tables can insert malicious serialized code into credential storage columns. When the application deserializes this data, it executes the attacker's payload. This requires existing database write privileges, but the impact can be severe—potentially allowing unauthorized access or system manipulation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-502
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40993 exploits unsafe deserialization in JdbcAssertingPartyMetadataRepository, which persists SAML asserting party metadata to a relational database table (saml2_asserting_party_metadata). The vulnerability exists in the verification_credentials and encryption_credentials columns, which store serialized Java objects representing cryptographic keys and certificates. An attacker with INSERT or UPDATE permissions on this table can craft malicious serialized payloads that, upon deserialization by the application, execute arbitrary code. The issue stems from CWE-502 (Deserialization of Untrusted Data) and requires a sophisticated attacker with database access, but the consequences justify the HIGH severity rating.
Business impact
Compromise of a Spring Security-protected application's metadata layer can undermine the entire SAML authentication chain. An attacker exploiting this could impersonate legitimate SAML identity providers, intercept or forge authentication tokens, or escalate privileges within federated systems. In enterprise environments relying on Spring Security for SSO or multi-tenant SAML workflows, this creates a path to authentication bypass and lateral movement across dependent applications. The threat is heightened in scenarios where database access controls are weak or where insider threats exist.
Affected systems
Spring Security 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, and 7.0.5 are in scope. Any Spring Boot or Spring application configured to use JdbcAssertingPartyMetadataRepository for SAML 2.0 service provider operations is at risk. Organizations running Spring Security 6.x or earlier versions are unaffected. The vulnerability is specific to the JDBC-backed metadata repository and does not affect in-memory or XML-based metadata configurations.
Exploitability
Exploitation requires database write privileges, which significantly constrains the threat model. An attacker must either compromise database credentials, exploit a separate SQL injection vulnerability, or leverage insider access. Once that foothold exists, crafting a malicious serialized payload is straightforward for an advanced attacker familiar with Java deserialization gadget chains. The attack is not exploitable over the network without prior database compromise. The CVSS vector (AV:A/AC:H/PR:H) reflects these prerequisites; however, the HIGH severity underscores that database compromise is a plausible scenario in shared hosting or cloud environments. This vulnerability is not presently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Upgrade to Spring Security 7.0.6 or later, which contains a fix for unsafe deserialization in credential storage. If immediate patching is not feasible, restrict database write permissions to the saml2_asserting_party_metadata table to only trusted administrative accounts and service accounts. Audit recent database modification logs for unauthorized changes to metadata columns. In high-risk environments, rotate SAML signing and encryption credentials and monitor for anomalous authentication events or token issuance patterns.
Patch guidance
Spring Security patch releases addressing this issue are expected in the 7.0.x branch. Verify the exact patched version against the VMware Spring Security advisory and release notes before deployment. Organizations should test the patch in a staging environment to ensure compatibility with existing SAML configurations and metadata caching layers. No breaking changes are anticipated, but validation of metadata reload behavior is recommended post-upgrade.
Detection guidance
Monitor database audit logs for INSERT or UPDATE operations on the saml2_asserting_party_metadata table, particularly modifications to verification_credentials or encryption_credentials columns. Establish baseline profiles of normal metadata updates and alert on deviations. Review application logs for deserialization errors or unexpected exception stack traces mentioning java.io.ObjectInputStream or gadget chain classes. In SIEM platforms, correlate database modification events with subsequent authentication anomalies—unexpected principal elevation, unusual token claims, or failed SAML assertion validations—to detect post-exploitation activity.
Why prioritize this
Despite the HIGH CVSS score, real-world urgency depends on organizational context. Teams deploying Spring Security 7.0.x specifically for SAML functionality should prioritize patching within 2-4 weeks. Organizations with Spring Security 6.x or non-SAML deployments can defer. This vulnerability has not achieved public exploitation maturity, but the combination of authentication layer criticality and the relative ease of crafting payloads post-compromise warrants proactive remediation before adversaries mature proof-of-concept code.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects the severity of code execution via deserialization, the scope expansion to other systems through SAML federation, and the integrity and availability impacts. However, the score is moderated by the required database write access (PR:H) and the high complexity of exploitation (AC:H), which assume attacker sophistication. Organizations with robust database access controls and network segmentation may treat this as a medium priority, while those with weak database hygiene should treat it as critical.
Frequently asked questions
Do I need to patch if we use Spring Security but not SAML 2.0?
No. This vulnerability is specific to JdbcAssertingPartyMetadataRepository and only affects applications configured as SAML 2.0 service providers using the JDBC metadata repository. Applications using OAuth 2.0, session-based authentication, or SAML with XML file-based metadata are not affected.
Our database is on a private network with restricted write access. Are we still at risk?
Your risk is lower but not zero. Evaluate whether your restricted access list includes compromised service accounts, privileged developers, or cloud infrastructure. Additionally, assess whether other applications or scripts on the same network can reach the database. Defense-in-depth patching is still recommended, but the urgency may be reduced for highly segmented environments.
Can we detect if this vulnerability has been exploited in our environment?
Partially. Search application logs for deserialization exceptions or gadget chain class names. Audit database logs for any modifications to the saml2_asserting_party_metadata table that don't correlate with your normal SAML administration workflows. However, a skilled attacker may cover tracks; forensic analysis of backups is also advisable if a breach is suspected.
What Spring Security versions before 7.0 are affected?
Versions prior to 7.0.0 are not affected by this vulnerability. The issue is specific to the redesigned JDBC metadata repository in the 7.0.x branch. If you are running Spring Security 6.x or earlier, no action is required for this CVE.
This analysis is based on publicly available vulnerability data as of the publication date and represents a point-in-time assessment. Patch availability and version numbers should be verified against official VMware Spring Security advisories and release notes. This document does not constitute legal or professional security advice. Organizations should conduct their own risk assessments and consult with internal security teams before making remediation decisions. Exploitation techniques are not detailed herein; refer to vendor advisories for comprehensive mitigation guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41731HIGHSpring for Apache Kafka Header Deserialization RCE (CVSS 8.1)
- CVE-2026-41732HIGHSpring for Apache Pulsar Remote Code Execution via Unsafe Deserialization
- CVE-2026-41855HIGHSpring Framework JMS Deserialization Vulnerability (CVSS 8.1)
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-20251HIGHSplunk Remote Code Execution via KV Store Deserialization
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation