Main Vulnerability Database Vulnerabilities #VU128232

Improper access control in Spring Boot - CVE-2026-40973

Published: April 27, 2026

Vulnerability identifier: #VU128232

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40973

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Spring

Affected software:
Spring Boot

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information, hijack authenticated users, or execute arbitrary code.

The vulnerability exists due to improper access control in ApplicationTemp when using a predictable temporary directory for persistent session storage without ownership verification. A local user can take control of the directory used by ApplicationTemp to disclose sensitive information, hijack authenticated users, or execute arbitrary code.

Exploitation requires server.servlet.session.persistent to be set to true and the attack to persist across application restarts.

How to mitigate CVE-2026-40973

Install security update from vendor's website.

Sources

https://spring.io/security/cve-2026-40973

Improper access control in Spring Boot - CVE-2026-40973

Detailed vulnerability description

How to mitigate CVE-2026-40973

Sources

Please verify you're human