Visit NES for Spring Home Page

Spring Web Services 4.0.x Release Notes

4 versions

Comprehensive release notes and changelog for Spring Web Services 4.0.x, including security patches, bug fixes, and feature updates across all supported versions.

Jun 15, 2026
Latest: 4.0.21
21 Patched Vulnerabilities
VEX Statements

June 2026

Full Version:
4.0.17-spring-ws-4.0.21

Bug Fixes

  • Fixed Wss4jSecurityInterceptor to initialize inbound validation with BSP enforcement enabled, restoring the WS-I Basic Security Profile protections that were disabled by default against malformed and downgrade-attack WS-Security messages (CVE-2026-40994).
  • Fixed X509AuthenticationProvider to apply Spring Security's account lifecycle checks, preventing disabled, locked, expired, or credential-expired accounts from authenticating via mutual TLS or certificate-based SOAP (CVE-2026-40995).
  • Changed Wss4jSecurityInterceptor to no longer default allowRSA15KeyTransportAlgorithm to true, so inbound WS-Security decryption no longer accepts weak RSA PKCS#1 v1.5 encrypted key material unless explicitly enabled (CVE-2026-40996).
  • Stopped SpringSecurityUtils.checkUserValidity from embedding full UserDetails state in thrown exception messages, closing an account-state information leak through SOAP authentication failures (CVE-2026-40997).
  • Fixed Jaxp13XPathTemplate to evaluate XPath using spring-xml's hardened parsers, closing an XML External Entity (XXE) processing vulnerability on stream and SAX XPath sources (CVE-2026-40998).
  • Fixed Spring WS to treat wsa:ReplyTo and wsa:FaultTo destinations as peer-supplied, preventing Server-Side Request Forgery against internal hosts and cloud metadata endpoints via outbound reply delivery (CVE-2026-40999).
  • Wired Apache WSS4J ReplayCache instances into validation RequestData, so UsernameToken nonces, WS-Security timestamps, and SAML constructs are subject to replay enforcement (CVE-2026-41000).

April 2026

4.0.20

Released Apr 28, 2026
Full Version:
4.0.17-spring-ws-4.0.20

Dependency Upgrades

  • Spring Security (NES) 6.4.13-spring-security-6.4.16

March 2026

4.0.19

Released Mar 25, 2026
Full Version:
4.0.17-spring-ws-4.0.19

Dependency Upgrades

  • Spring Security (NES) 6.4.13-spring-security-6.4.15

January 2026

4.0.18

Released Jan 28, 2026
Full Version:
4.0.17-spring-ws-4.0.18

Notes

  • This release originates from the open‑source Spring Web Services repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Web Services 4.0.17.

Dependency Upgrades

  • Spring Security (NES) 6.4.13-spring-security-6.4.14

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.