CVE-2026-40975
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
In Spring Boot, values produced by ${random.value} are not suitable for use as secrets due to a weak PRNG. ${random.uuid} is not affected, while ${random.int} and ${random.long} should never be used for secrets because of their predictable numeric range.
Risk Assessment
Using these properties for passwords, tokens, or keys may allow an attacker to reconstruct secrets, leading to confidentiality and authorization breaches in the application.
Recommendation
Update Spring Boot to the fixed version (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33) and replace ${random.value} with a secure secret generator, such as java.security.SecureRandom or a dedicated secret manager.
Original NVD description (English source)
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

