CVE-2026-40976
A critical security vulnerability, CVE-2026-40976, has been identified in Spring Boot versions 4.0.0 through 4.0.5. This flaw occurs when the default web security configuration fails to enforce authorization, which can allow unauthorized access to all application endpoints in certain servlet-based deployments. In vulnerable applications, exploitation is possible when the app is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health. Two related Spring Boot flaws have also been disclosed: CVE-2026-40973, which may let a local attacker hijack sessions or potentially execute code by taking control of the ApplicationTemp directory, and CVE-2026-40972, which may let an attacker on the same network use a timing attack against the DevTools remote secret and, in extreme cases, achieve remote code execution.
EPSS 0.02% · 6.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spring | Spring Boot <4.0.6 | |
| Spring | Spring Boot <3.4.16 | |
| Spring | Spring Boot <3.5.14 | |
| Spring | Spring Boot <2.7.33 | |
| Spring | Spring Boot <3.3.19 |
Timeline
- Apr 24, 2026 CVE Published
- Apr 24, 2026 PoC Published
- Apr 27, 2026 PoC Published
- Apr 30, 2026 CVE Updated
- May 7, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score