CVE-2026-40972

HIGH

Spring Boot 2.7.0-2.7.32, 3.3.0-3.3.18, 3.4.0-3.4.15, 3.5.0-3.5.13, 4.0.0-4.0.5 - Timing Discrepancy in DevTools

Title source: llm

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-40972

Scores

CVSS v3 7.5

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-208

Status published

Products (11)

org.springframework.boot/spring-boot-devtools 0 - 2.7.32Maven

org.springframework.boot/spring-boot-devtools 3.3.0 - 3.3.18Maven

org.springframework.boot/spring-boot-devtools 3.4.0 - 3.4.15Maven

org.springframework.boot/spring-boot-devtools 3.5.0 - 3.5.14Maven

org.springframework.boot/spring-boot-devtools 4.0.0 - 4.0.6Maven

Spring/Spring Boot 2.7.0 - 2.7.33

Spring/Spring Boot 3.3.0 - 3.3.19

Spring/Spring Boot 3.4.0 - 3.4.16

Spring/Spring Boot 3.5.0 - 3.5.14

Spring/Spring Boot 4.0.0 - 4.0.6

... and 1 more

Published Apr 28, 2026

Tracked Since Apr 28, 2026