Vulnerable Library - spring-boot-devtools-4.0.4.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-devtools version) |
Remediation Possible** |
| CVE-2026-40976 |
 Critical |
9.1 |
spring-boot-4.0.4.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-40972 |
 High |
7.5 |
spring-boot-devtools-4.0.4.jar |
Direct |
4.0.6 |
❌ |
| CVE-2026-40973 |
High |
7.0 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40974 |
 Medium |
5.0 |
spring-boot-autoconfigure-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40971 |
Medium |
5.0 |
spring-boot-autoconfigure-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40975 |
Medium |
4.8 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
| CVE-2026-40977 |
Medium |
4.7 |
spring-boot-4.0.4.jar |
Transitive |
4.0.6 |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40976
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40976
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40972
Vulnerable Library - spring-boot-devtools-4.0.4.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Dependency Hierarchy:
- ❌ spring-boot-devtools-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40973
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40974
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-autoconfigure-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40971
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-autoconfigure-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40971
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-40971
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40975
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
CVE-2026-40977
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
- spring-boot-devtools-4.0.4.jar (Root Library)
- ❌ spring-boot-4.0.4.jar (Vulnerable Library)
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40976
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: org.springframework.boot:spring-boot-security:4.0.6,https://github.com/spring-projects/spring-boot.git - v4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-devtools-4.0.4.jar
Spring Boot Developer Tools
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-devtools/4.0.4/d2df01f25c5f0d4f816e8ea5da41248cbe10142a/spring-boot-devtools-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40972
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution: 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
A local attacker on the same host as the application may be able to take control of the directory used by "ApplicationTemp". When "server.servlet.session.persistent" is set to "true" and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / "ApplicationTemp" ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40973
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40974
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-autoconfigure-4.0.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/4.0.4/e7d484851da96008f341cab0336ff7b923ba25ae/spring-boot-autoconfigure-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14) per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40971
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2026-40971
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40975
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-boot-4.0.4.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/4.0.4/93d6e7c5b747d640bbad17971c5ce957bee88c5f/spring-boot-4.0.4.jar
Dependency Hierarchy:
Found in HEAD commit: 9200939ed00ea9c0f2341f87024dc603fe2b491c
Found in base branch: master
Vulnerability Details
When an application is configured to use "ApplicationPidFileWriter", a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior ("ApplicationPidFileWriter"). Versions that are no longer supported are also affected per vendor advisory.
Publish Date: 2026-04-27
URL: CVE-2026-40977
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-27
Fix Resolution (org.springframework.boot:spring-boot): 4.0.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 4.0.6
Step up your Open Source Security Game with Mend here