CVE Catalog

CVE-2026-40976

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

38th percentile — higher than 38% of all known CVEs

Summary

Under certain circumstances, Spring Boot's default web security is ineffective, allowing unauthorized access to all endpoints. The vulnerability affects servlet-based web applications that have no custom Spring Security configuration, rely on the default security filter chain, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health.

Risk Assessment

The organization is at risk of unauthorized access to all endpoints, potentially leading to data leakage, system manipulation, or privilege escalation.

Recommendation

Immediately upgrade Spring Boot to version 4.0.6 or later as per vendor advisory. If upgrade is not possible, add custom Spring Security configuration or ensure the spring-boot-health dependency is present.

Original NVD description (English source)

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS