In a major update for the Java ecosystem, several critical have been disclosed in Spring Boot, the framework that powers millions of modern enterprise applications. These flaws—CVE-2026-40976, CVE-2026-40972, and CVE-2026-40973—range from total security bypasses to sophisticated timing attacks, potentially allowing attackers to hijack sessions or execute arbitrary code.
As these vulnerabilities affect various versions, from the cutting-edge 4.0.x branch down to the legacy 2.7.x series, administrators must act quickly to secure their development and production environments.
1. The Default Security Blind Spot (CVE-2026-40976)
The most severe , carrying a CVSS score of 9.1, involves a critical gap in Spring Boot’s default web security filter chain. In specific configurations, the default security becomes completely ineffective, granting unauthorized access to all application endpoints.
To be vulnerable, an application must meet a very specific set of criteria:
- It must be a servlet-based web application.
- It must rely entirely on default web security with no custom Spring Security configuration.
- It must depend on spring-boot-actuator-autoconfigure but not on spring-boot-health.If your application fits this profile, your internal endpoints may be exposed to the public internet.
2. Timing Attacks on DevTools (CVE-2026-40972)
A “High” severity (CVSS 7.5) has been identified in the Spring Boot DevTools. An attacker on the same network as the application can use a timing attack to slowly “guess” the remote secret.
By measuring the exact time the application takes to compare secrets, an attacker can determine the correct characters. In extreme cases, once the secret is stolen, an attacker can upload changed classes and achieve Remote Code Execution (RCE).
3. Predictable Temp Directories (CVE-2026-40973)
The third vulnerability (CVSS 7.0) involves the way Spring Boot handles temporary directories. A local attacker on the same host can take control of the directory used by ApplicationTemp. If the application is configured to persist sessions across restarts, this flaw allows an attacker to:
- Read sensitive session information.
- Hijack authenticated users.
- Deploy a “gadget chain” to execute code as the application’s user.
The Spring team has released fixes across multiple versions. However, users should note that while 4.0.x and 3.5.x fixes are available via Open Source (OSS), older versions now require Enterprise Support for patching.
| Spring Boot Series | Fix Version | Availability |
| 4.0.x | 4.0.6 |
OSS |
| 3.5.x | 3.5.14 |
OSS |
| 3.4.x | 3.4.16 |
Enterprise Support Only |
| 3.3.x | 3.3.19 |
Enterprise Support Only |
| 2.7.x | 2.7.33 |
Enterprise Support Only |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
