CVE-2026-40991

Summary

When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.

Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.

Affected Software

VendorProductVersion RangeStatus
SpringSpring REST Docs4.0.0 < 4.0.0.1affected
SpringSpring REST Docs3.0.0 < 3.0.5.1affected
SpringSpring REST Docs2.0.0.RELEASE < 2.0.9.RELEASEaffected

Weaknesses

  • CWE-611: CWE-611: Improper Restriction of XML External Entity Reference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References