CVE-2026-40993 - Spring Security JDBC SAML credential deserialization

CVE-2026-40993 - Spring Security JDBC SAML credential deserialization - High - 2026-06-10

Business risk: A writable SAML metadata table can turn a database-write foothold into credential deserialization and identity-provider trust compromise.

Root cause: Serialized verification_credentials and encryption_credentials are loaded from JDBC metadata without a trust boundary matching the database writer population.

Affected versions

  • Vulnerable: Spring Security 7.0.0 through 7.0.5 when JdbcAssertingPartyMetadataRepository reads rows that lower-trust actors can write.
  • Fixed / safe target: Upgrade Spring Security past 7.0.5, restrict writes to saml2_asserting_party_metadata, and treat SAML metadata rows as privileged configuration.
  • CVSS: 7.3 (High)

Exact vulnerable code pattern

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-saml2-service-provider</artifactId>
  <version>7.0.5</version>
</dependency>
<!-- saml2_asserting_party_metadata is writable by lower-trust tooling. -->

Fixed / mitigated code pattern

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-saml2-service-provider</artifactId>
  <version>${spring-security.fixed}</version>
</dependency>
<!-- Only the service account and reviewed migration role can write SAML metadata rows. -->

Step-by-step integration guide

  1. Inventory Maven/Gradle locks and images for Spring Security 7.0.0-7.0.5.
  2. Upgrade all Spring Security modules together to the fixed 7.0.x train and regenerate locks/SBOMs.
  3. Remove broad write grants on saml2_asserting_party_metadata.
  4. Add a regression test that low-privilege database writers cannot alter SAML credential columns.
  5. Audit recent writes to verification_credentials and encryption_credentials before deploy.

Alternative mitigations

  • Revoke non-application writes to saml2_asserting_party_metadata.
  • Disable dynamic JDBC-backed SAML metadata updates until the upgrade is deployed.
  • Alert on writes to verification_credentials or encryption_credentials.

Detection signature

rg -n "JdbcAssertingPartyMetadataRepository|saml2_asserting_party_metadata|verification_credentials|encryption_credentials|spring-security-saml2-service-provider" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-40993: Spring Security JDBC SAML credential deserialization.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-40993 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, spring-security, saml, java, jdbc, deserialization, sellable_to_enterprise, enterprise_blocker, high
  • Affected tech stack: java/maven
  • Revenue tags: sellable_to_enterprise, enterprise_blocker

References