CVE-2026-40972

HIGH

Spring Boot < 4.0.6 - Remote Code Execution

Title source: rule

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

References (1)

https://spring.io/security/cve-2026-40972

Scores

CVSS v3 7.5

EPSS 0.0009

EPSS Percentile 24.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-208

Status published

Products (5)

Spring/Spring Boot 2.7.0 - 2.7.33

Spring/Spring Boot 3.3.0 - 3.3.19

Spring/Spring Boot 3.4.0 - 3.4.16

Spring/Spring Boot 3.5.0 - 3.5.14

Spring/Spring Boot 4.0.0 - 4.0.6

Published Apr 28, 2026

Tracked Since Apr 28, 2026