CVE-2026-40993 - Spring Security SAML credential BLOB deserialization RCE

CVE-2026-40993 + Spring Security SAML credential BLOB deserialization RCE + High + 2026-06-10

One-sentence business risk

A write path into SAML metadata rows can become server-side code execution, which is an identity-platform release blocker.

Research notes

  • Root cause: JdbcAssertingPartyMetadataRepository stores SAML verification and encryption credential collections in database columns that can deserialize attacker-controlled payloads when a hostile writer reaches saml2_asserting_party_metadata.
  • Affected versions: Spring Security 7.0.0 through 7.0.5 using JdbcAssertingPartyMetadataRepository.
  • Fixed / safe versions: Spring Security 7.0.6 OSS or 7.0.5.1 enterprise.
  • Public exploit / PoC signal: the consulted NVD/GHSA/vendor sources describe the trigger class; treat it as reproducible until patched.
  • CVSS: 7.3 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H.

Exact vulnerable code pattern

byte[] blob = rs.getBytes("verification_credentials");
Object credentials = new ObjectInputStream(new ByteArrayInputStream(blob)).readObject();

Fixed / mitigated code pattern

// Upgrade Spring Security, then keep SAML metadata rows data-only.
rowMapper.setCredentialsDeserializer(bytes -> parseSignedJsonCredentialSet(bytes));
requireDatabaseWritesFromProvisioningRoleOnly("saml2_asserting_party_metadata");

Dependency or runtime update:

mvn -q dependency:tree | grep -i spring-security
# set Spring Security to 7.0.6+ or enterprise 7.0.5.1
mvn test

Step-by-step integration guide

  1. Inventory org.springframework.security:spring-security-saml2-service-provider in source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes.
  2. Upgrade or patch to Spring Security 7.0.6 OSS or 7.0.5.1 enterprise; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up.
  3. Replace every vulnerable deserialization pattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting.
  4. Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
  5. Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.

Alternative mitigations

  • Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
  • Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
  • Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
  • Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.

Detection signature

id: cve-2026-40993-spring-security-saml-credential-blob-deserializa
source: NVD
package_or_product: "org.springframework.security:spring-security-saml2-service-provider"
affected: "Spring Security 7.0.0 through 7.0.5 using JdbcAssertingPartyMetadataRepository"
fixed: "Spring Security 7.0.6 OSS or 7.0.5.1 enterprise"
cvss: "7.3 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H"
signals:
  - "deserialization"
  - "CVE-2026-40993"
  - "org.springframework.security:spring-security-saml2-service-provider"
action: "upgrade, add a regression test, and verify deploy artifact"

Copy-paste skill

You are remediating CVE-2026-40993 (Spring Security SAML credential BLOB deserialization RCE) in this repository.

Produce a reviewer-ready PR or TRIAGE.md. Inventory org.springframework.security:spring-security-saml2-service-provider across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply Spring Security 7.0.6 OSS or 7.0.5.1 enterprise. Replace the vulnerable deserialization pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.

Keywords, affected tech stack, and revenue tags

  • Keywords: CVE-2026-40993, deserialization, org.springframework.security:spring-security-saml2-service-provider, NVD.
  • Affected tech stack: java/maven.
  • Revenue tags: sellable_to_fintech, enterprise_blocker, high_priority_sla.

References