About vulnerability

SVG ImageDescription

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).

This may allow an attacker to hence execute code remotely on the server reading these rows in the database.

SVG ImageAffected Spring Products and Versions

Spring Security:

• 7.0.0 - 7.0.5

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

In the event that this upgrade causes you trouble, please look for TRACE logs detailing why deserialization is failing. These messages are from JdbcAssertingPartyMetadataRepository and begin with:

Failed to deserialize due to …

In the event that an adjustment is needed, you can set a custom deserializer with AssertingPartyMetadataRowMapper#setCredentialsDeserializer.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C/CR:L/IR:H/AR:M/MAV:A/MAC:H/MPR:H/MUI:N/MS:C/MC:N/MI:H/MA:H&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.

SVG ImageDescription

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).

This may allow an attacker to hence execute code remotely on the server reading these rows in the database.

SVG ImageAffected Spring Products and Versions

Spring Security:

• 7.0.0 - 7.0.5

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

In the event that this upgrade causes you trouble, please look for TRACE logs detailing why deserialization is failing. These messages are from JdbcAssertingPartyMetadataRepository and begin with:

Failed to deserialize due to …

In the event that an adjustment is needed, you can set a custom deserializer with AssertingPartyMetadataRowMapper#setCredentialsDeserializer.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C/CR:L/IR:H/AR:M/MAV:A/MAC:H/MPR:H/MUI:N/MS:C/MC:N/MI:H/MA:H&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.