CVE Catalog

CVE-2026-40992

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Spring Boot does not enable hostname verification in mail auto-configuration. Applications that set the relevant JavaMail property are not affected.

Risk Assessment

The lack of hostname verification may lead to man-in-the-middle attacks, posing a risk of intercepting email data.

Recommendation

It is recommended to enable hostname verification by setting the property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true in the application configuration.

Original NVD description (English source)

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS