SB2026061136 - Multiple vulnerabilities in Spring Boot

Description

This security bulletin contains information about 2 vulnerabilities.

1) Insecure Temporary File (CVE-ID: CVE-2026-41001)

CWE-ID: CWE-377 - Insecure Temporary File

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to tamper with message queue data, inject malicious messages, or potentially execute code.

The vulnerability exists due to insecure temporary file usage in ArtemisEmbeddedConfigurationFactory when initializing the embedded Artemis message broker without an explicit data directory path. A local user can pre-create the predictable directory or place a symlink before the application starts to tamper with message queue data, inject malicious messages, or potentially execute code.

Exploitation requires the application to use the embedded Artemis message broker with no explicit data directory configured.

2) Improper Certificate Validation (CVE-ID: CVE-2026-40992)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to improper certificate validation in mail auto-configuration when establishing SSL/TLS connections to a mail server. A remote attacker can present a crafted server certificate to disclose sensitive information, modify data, or cause a denial of service.

Applications that explicitly enable the JavaMail server identity check property are not affected.

Remediation

Install update from vendor's website.

References

• https://spring.io/security/cve-2026-41001
• https://spring.io/security/cve-2026-40992