Main Vulnerability Database Vulnerabilities #VU128231

Information Exposure Through Timing Discrepancy in Spring Boot - CVE-2026-40972

Published: April 27, 2026

Vulnerability identifier: #VU128231

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-40972

CWE-ID: CWE-208

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Spring

Affected software:
Spring Boot

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to observable timing discrepancies in DevTools remote secret comparison when validating the remote secret over an adjacent network. A remote attacker can measure response timing to discover the secret and execute arbitrary code.

Exploitation is limited to attackers on the same network as the remote application, and successful secret recovery may allow uploading changed classes.

How to mitigate CVE-2026-40972

Install security update from vendor's website.

Sources

https://spring.io/security/cve-2026-40972

Information Exposure Through Timing Discrepancy in Spring Boot - CVE-2026-40972

Detailed vulnerability description

How to mitigate CVE-2026-40972

Sources

Please verify you're human