Main Vulnerability Database Vulnerabilities #VU128236

Improper access control in Spring Boot - CVE-2026-40976

Published: April 27, 2026

Vulnerability identifier: #VU128236

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-40976

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Spring

Affected software:
Spring Boot

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to all endpoints.

The vulnerability exists due to improper access control in the default web security filter chain when handling requests in certain actuator configurations. A remote attacker can send requests to application endpoints to gain unauthorized access to all endpoints.

Only servlet-based web applications that rely on the default web security filter chain, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health are vulnerable.

How to mitigate CVE-2026-40976

Install security update from vendor's website.

Sources

https://spring.io/security/cve-2026-40976

Improper access control in Spring Boot - CVE-2026-40976

Detailed vulnerability description

How to mitigate CVE-2026-40976

Sources

Please verify you're human