CVE-2026-40997 — Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callb — CVE Database · The Intelligence Room