CVE-2026-40972

April 28, 2026, 8:11 p.m.

7.5
High

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

Product(s) Impacted

Vendor Product Versions
Spring
  • Spring Boot
  • 4.0.0-4.0.5, 3.5.0-3.5.13, 3.4.0-3.4.15, 3.3.0-3.3.18, 2.7.0-2.7.32

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-208
Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a spring spring_boot 4.0.0-4.0.5 / / / / / / /
a spring spring_boot 3.5.0-3.5.13 / / / / / / /
a spring spring_boot 3.4.0-3.4.15 / / / / / / /
a spring spring_boot 3.3.0-3.3.18 / / / / / / /
a spring spring_boot 2.7.0-2.7.32 / / / / / / /

References

https://spring.io/security/cve-2026-40972

Tags

[email protected]
CWE-208
2026-04-28
CVE-2026-40972

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: April 28, 2026, 12:16 a.m.
Last Modified: April 28, 2026, 8:11 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.