HIGH 7.6

CVE-2026-41003: Spring Security RelyingPartyRegistration Code Injection Vulnerability

A vulnerability in Spring Security allows attackers who can control certain configuration values to inject and execute arbitrary code within HTML forms generated by the framework's security filters. The attack requires that an attacker first gain the ability to modify RelyingPartyRegistration settings—typically through compromised credentials, misconfigured access controls, or supply-chain interference—and then trick a user into interacting with a malicious form. Once the malicious code executes in the user's browser, the attacker can steal session tokens, harvest credentials, or perform actions on behalf of the victim.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input validation or output encoding when Spring Security constructs HTML forms that incorporate RelyingPartyRegistration values. RelyingPartyRegistration is a configuration object that defines how the application trusts external identity providers in OAuth2 or SAML workflows. By injecting JavaScript or HTML payloads into RelyingPartyRegistration properties—such as client names, URIs, or metadata endpoints—an attacker can break out of the intended data context and execute arbitrary code in the context of the user's session. The attack vector is network-based with low complexity; it requires prior authentication (PR:L) to modify configuration, plus user interaction (UI:R) to trigger the malicious form rendering. The CVSS 3.1 vector reflects that confidentiality is highly impacted while integrity and availability are less affected.

Business impact

This vulnerability creates a post-authentication privilege escalation and data theft risk. If an internal attacker, rogue administrator, or external threat actor gains write access to application configuration, they can hijack user sessions, exfiltrate sensitive data, or redirect users to phishing pages—all within a trusted application context. For organizations running multi-tenant or shared identity-provider setups, the impact extends across all users relying on that configuration. The requirement for prior authentication limits the blast radius compared to unauthenticated attacks, but the ability to influence a trusted interface significantly erodes user confidence and compliance posture.

Affected systems

Spring Security versions spanning five major releases are affected: 5.7.0–5.7.23, 5.8.0–5.8.25, 6.3.0–6.3.16, 6.4.0–6.4.16, 6.5.0–6.5.10, and 7.0.0–7.0.5. Any Java application using Spring Security for OAuth2 or SAML authentication with externally influenced or insufficiently validated RelyingPartyRegistration configurations is at risk. This includes microservices architectures, cloud-native deployments, and traditional enterprise applications that delegate authentication to external providers.

Exploitability

Active exploitation is not yet widespread because the vulnerability requires two conditions to align: (1) an attacker must first obtain the ability to modify RelyingPartyRegistration—either through compromised administrative credentials, insecure configuration management, or a supply-chain compromise—and (2) a legitimate user must access a form containing the injected payload. The attack is not unauthenticated, which raises the bar for opportunistic exploitation. However, the CVSS score of 7.6 (HIGH) and the cross-site scripting nature of the flaw make it an attractive target for sophisticated adversaries operating inside trust boundaries or targeting high-value accounts. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Upgrade to a patched version of Spring Security. Verify the exact patch version against the vendor advisory from VMware (the current maintainer of Spring Security). Organizations unable to patch immediately should review access controls on configuration management systems to ensure that only trusted administrators can modify RelyingPartyRegistration settings. Implement network segmentation to reduce the number of users who interact with affected applications, and monitor configuration change logs for unauthorized modifications. Consider using immutable or read-only configuration where possible.

Patch guidance

Consult the VMware Spring Security security advisory for the specific patch version corresponding to your branch (5.7.x, 5.8.x, 6.3.x, 6.4.x, 6.5.x, or 7.0.x). Apply patches in a controlled manner: test in a staging environment first, validate that identity provider integrations continue to function, and monitor for any behavioral changes. If you are on an end-of-life branch (e.g., 5.7.x or 5.8.x), consider upgrading to a long-term supported release line such as 6.5.x or 7.0.x (once patched) to receive ongoing security maintenance.

Detection guidance

Monitor your application logs and configuration audit trails for unexpected changes to RelyingPartyRegistration objects—particularly modifications to client names, provider URIs, or metadata. Implement Web Application Firewall (WAF) rules to detect JavaScript or HTML entity injection patterns in HTTP requests that might influence configuration. Use browser-based security headers (Content-Security-Policy, X-Frame-Options) to mitigate the impact if a form is compromised. Conduct a periodic review of who has administrative access to configuration management tools and identity provider settings.

Why prioritize this

Despite the authenticated-attacker requirement, this vulnerability scores HIGH (7.6) because it enables cross-site scripting in a high-trust context. Organizations should prioritize patching production environments within their normal patch cycle (typically 2–4 weeks) because the attack directly compromises user sessions and data confidentiality. The widespread presence across five major Spring Security versions means most organizations running Spring-based authentication infrastructure are likely affected. The fact that it is not yet in the KEV catalog should not delay remediation—threat actors are likely aware of the issue and may target organizations with weak change-management controls.

Risk score, explained

The CVSS 3.1 score of 7.6 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for low-privilege authentication (PR:L), and user interaction (UI:R). Scope changes to reflected in downstream systems (S:C). High confidentiality impact (C:H) from stolen session data, low integrity impact (I:L) from form injection, and no availability impact (A:N). This HIGH rating appropriately balances the post-authentication nature of the attack with its ability to compromise user sessions across trust boundaries.

Frequently asked questions

Do I need to patch if I don't use OAuth2 or SAML?

If your application uses Spring Security but does not configure OAuth2 or SAML authentication via RelyingPartyRegistration, your risk is lower but not zero. Review your Spring Security configuration to confirm. If you use only username/password or other authentication methods that do not populate RelyingPartyRegistration, you may deprioritize this patch. However, we recommend patching defensively to avoid misconfiguration by future developers.

Can this be exploited without prior access to modify configuration?

The vulnerability requires an attacker to first influence RelyingPartyRegistration values. This is not a remote code execution flaw that works on an unmodified system. An attacker needs either compromised credentials, access to a configuration repository, or the ability to exploit another vulnerability to alter these settings. Once that barrier is crossed, the code injection in the form becomes the secondary exploit.

What should I do if I cannot patch immediately?

Implement strong access controls on administrative accounts and configuration management systems. Restrict network access to the affected application to known, trusted users. Enable multi-factor authentication for any account that can modify Spring Security or identity provider settings. Monitor for suspicious configuration changes. Set a firm deadline for patching within 30 days and escalate resource requests if needed.

Are there workarounds without patching?

No reliable workaround eliminates the root cause. Input validation and output encoding fixes require a code change, which is provided only in the patched versions. Deploying a WAF with anti-XSS rules may reduce exposure but is not a substitute for patching the framework itself.

This analysis is provided for informational purposes and reflects the vulnerability details as of the publication date. Security landscapes evolve; verify all patch versions, affected product lines, and remediation steps against the official VMware Spring Security security advisory before taking action. SEC.co does not provide legal, compliance, or commercial advice. Organizations should validate patch compatibility with their specific deployments, conduct regression testing in staging environments, and consult their incident response and security teams. This vulnerability is not currently listed on the CISA KEV catalog but may be added as threat intelligence develops. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).