SB20260427182 - Multiple vulnerabilities in Spring Boot
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2026-40970)
The vulnerability allows a remote attacker to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to improper certificate validation in Elasticsearch auto-configuration when connecting to the Elasticsearch server using an SSL bundle. A remote attacker can present a crafted server certificate to disclose sensitive information, modify data, or cause a denial of service.
2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-40971)
The vulnerability allows a remote attacker to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to improper certificate validation in RabbitMQ auto-configuration when connecting to the RabbitMQ broker using an SSL bundle. A remote attacker can present a crafted certificate to disclose sensitive information, modify data, or cause a denial of service.
3) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-40972)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to observable timing discrepancies in DevTools remote secret comparison when validating the remote secret over an adjacent network. A remote attacker can measure response timing to discover the secret and execute arbitrary code.
Exploitation is limited to attackers on the same network as the remote application, and successful secret recovery may allow uploading changed classes.
4) Improper access control (CVE-ID: CVE-2026-40973)
The vulnerability allows a local user to disclose sensitive information, hijack authenticated users, or execute arbitrary code.
The vulnerability exists due to improper access control in ApplicationTemp when using a predictable temporary directory for persistent session storage without ownership verification. A local user can take control of the directory used by ApplicationTemp to disclose sensitive information, hijack authenticated users, or execute arbitrary code.
Exploitation requires server.servlet.session.persistent to be set to true and the attack to persist across application restarts.
5) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-40974)
The vulnerability allows a remote attacker to compromise the confidentiality, integrity, and availability of data in transit.
The vulnerability exists due to improper certificate validation in Cassandra SSL auto-configuration when establishing an SSL connection to Cassandra. A remote attacker can intercept a connection on the local network to compromise the confidentiality, integrity, and availability of data in transit.
6) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2026-40975)
The vulnerability allows a remote attacker to disclose sensitive information and compromise integrity of secret-dependent operations.
The vulnerability exists due to the use of a weak pseudorandom number generator in the random value property source when generating values with ${random.value}. A remote attacker can predict generated values to disclose sensitive information and compromise integrity of secret-dependent operations.
${random.uuid} is not affected, and ${random.int} and ${random.long} should never be used for secrets because they are numeric values with a predictable range.
7) Link following (CVE-ID: CVE-2026-40977)
The vulnerability allows a local privileged user to corrupt one file on the host.
The vulnerability exists due to improper link resolution in ApplicationPidFileWriter when writing the PID file at a predictable default path. A local privileged user can place a symlink at the PID file location to corrupt one file on the host.
Exploitation requires the application to be configured to use ApplicationPidFileWriter and requires write access to the PID file location.
8) Improper access control (CVE-ID: CVE-2026-40976)
The vulnerability allows a remote attacker to gain unauthorized access to all endpoints.
The vulnerability exists due to improper access control in the default web security filter chain when handling requests in certain actuator configurations. A remote attacker can send requests to application endpoints to gain unauthorized access to all endpoints.
Only servlet-based web applications that rely on the default web security filter chain, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health are vulnerable.
Remediation
Install update from vendor's website.
References
- https://spring.io/security/cve-2026-40970
- https://spring.io/security/cve-2026-40971
- https://spring.io/security/cve-2026-40972
- https://spring.io/security/cve-2026-40973
- https://spring.io/security/cve-2026-40974
- https://spring.io/security/cve-2026-40975
- https://spring.io/security/cve-2026-40977
- https://spring.io/security/cve-2026-40976