CVE-2026-40998 - Spring WS XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate in affected Spring Web Services releases evaluated XPath for StreamSource and SAXSource inputs using the JDK default DocumentBuilderFactory behavior instead of Spring’s hardened parser settings. If untrusted XML reaches those code paths, attackers may trigger XXE-style file reads or server-side request forgery through external entities.

The exposure condition is narrower than “Spring WS installed”: the application must evaluate XPath over remote-controlled XML using the vulnerable source types or an equivalent message path.

When to use it

Use this recipe when a Spring Web Services application evaluates XPath over remote-controlled XML, especially through Jaxp13XPathTemplate, StreamSource, or SAXSource. It supports source-code remediation, XXE/SSRF review, parser-hardening evidence, and proof that untrusted XML cannot resolve external entities or local files.

Inputs

  • Spring WS version, dependency tree, XML message routes, XPath templates, parser configuration, and deployment egress controls.
  • Source paths that accept XML, construct StreamSource or SAXSource, run XPath, parse SOAP/XML messages, or log parser errors.
  • Regression fixtures for external entities, local file entities, SSRF entity URLs, benign XML, hardened parser settings, and expected reject behavior.
  • Boundary evidence: XML producers, network egress policy, file access, service account privileges, logs, and rollout owner.

Affected versions

  • Vulnerable package: Spring Web Services 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, 5.0.0-5.0.1
  • Fixed versions: 3.1.9, 4.0.19, 4.1.4, 5.0.2
  • Affected surface: XPath evaluation over untrusted XML using Jaxp13XPathTemplate with StreamSource or SAXSource

Indicator-of-exposure

  • The repository uses Spring WS XPath helpers or direct Jaxp13XPathTemplate usage.
  • XML from SOAP messages, integration queues, files, or partner systems is routed into XPath evaluation.
  • The source object type can be StreamSource or SAXSource, or a wrapper that reaches the same parser path.
  • No independent XML hardening layer strips external entity support first.

Quick checks:

rg -n "Jaxp13XPathTemplate|XPathTemplate|StreamSource|SAXSource|TransformerFactory|DocumentBuilderFactory|XPathExpression|SourceExtractor" .
mvn -q dependency:tree | rg "spring-ws|spring-xml"
gradle dependencies --configuration runtimeClasspath | rg "spring-ws"

Windows:

rg -n "Jaxp13XPathTemplate|XPathTemplate|StreamSource|SAXSource|TransformerFactory|DocumentBuilderFactory|XPathExpression|SourceExtractor" .
mvn -q dependency:tree | rg "spring-ws|spring-xml"
gradle dependencies --configuration runtimeClasspath | rg "spring-ws"

Remediation strategy

  • Upgrade Spring Web Services to the fixed release for the maintained branch.
  • Trace every untrusted XML path into XPath evaluation and confirm the fixed parser path is used.
  • Add safe regression tests that confirm external entities are not resolved and that normal XPath behavior still works.
  • If immediate upgrade is blocked, stop routing untrusted XML through the vulnerable source types or harden the parser before XPath evaluation.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-40998, where Spring Web Services XPath evaluation
over `StreamSource` or `SAXSource` may parse attacker-controlled XML without
Spring's hardened parser settings. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Spring WS, hardens XML/XPath
  handling, adds safe regression checks, and documents operator actions, or
- TRIAGE.md if this repository does not control an affected XML-to-XPath path.

## Rules

- Scope only CVE-2026-40998 and directly related XPath/XML parsing paths.
- Treat XML payloads, credentials, file paths, network destinations, and
  message contents as sensitive.
- Do not use live XXE payloads against production or shared systems.
- Do not weaken XML validation just to keep tests green.
- Do not auto-merge.

## Steps

1. Inventory Spring WS dependencies, XPath helpers, XML parsing utilities, and
   generated dependency artifacts in scope.
2. Determine whether untrusted XML can reach `Jaxp13XPathTemplate` through
   `StreamSource` or `SAXSource`.
3. Identify all targets resolving vulnerable Spring WS versions.
4. If no affected path is controlled here, stop with `TRIAGE.md` listing
   checked files, the runtime owner if external, and required fixed versions.
5. Upgrade all controlled Spring WS references to the fixed release.
6. Ensure untrusted XML is parsed with hardened settings before XPath
   evaluation, and do not rely on default JDK parser behavior.
7. Add safe tests that verify external entities are not resolved and outbound
   fetches are not performed during XPath evaluation.
8. Add a PR body section named `CVE-2026-40998 operator actions` that states:
   - versions before and after;
   - which XML/XPath paths were affected;
   - any temporary containment used;
   - which validation commands passed.
9. Run available validation: dependency resolution, unit tests, XML parsing
   tests, container build, and security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-40998 in Spring WS`.

## Stop conditions

- No affected untrusted XML to XPath path is controlled here.
- Verification would require real external entity fetches against live systems.
- Upgrade requires an out-of-scope platform change.
- Validation fails for unrelated pre-existing reasons; document them instead of
  broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Spring WS, keeps untrusted XML out of vulnerable source types, adds XXE regression tests, and documents parser/egress controls.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, XML/XPath boundary, egress/file access, required fix, and residual risk.
  • The output must include exact validation commands and must not read real local files, call internal services, or expose XML payloads from production.

Verification - what the reviewer looks for

  • No controlled build resolves a vulnerable Spring WS line.
  • Untrusted XML does not trigger external entity resolution in XPath flows.
  • Tests cover both secure rejection and ordinary valid XML handling.

Watch for

  • Fixing only one helper while another code path still constructs Jaxp13XPathTemplate.
  • Replacing XXE with a custom parser that is still not actually hardened.

References