CVE-2026-40972

CVE-2026-40972 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 27.04.2026 Updated: 27.04.2026

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

Metrics

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.5

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Boot
Versions	Default: unaffected affected from 4.0.0 to 4.0.6 (excl.) affected from 3.5.0 to 3.5.14 (excl.) affected from 3.4.0 to 3.4.16 (excl.) affected from 3.3.0 to 3.3.19 (excl.) affected from 2.7.0 to 2.7.33 (excl.)

Vendor

Spring

Product

Spring Boot

Versions

Default: unaffected

affected from 4.0.0 to 4.0.6 (excl.)
affected from 3.5.0 to 3.5.14 (excl.)
affected from 3.4.0 to 3.4.16 (excl.)
affected from 3.3.0 to 3.3.19 (excl.)
affected from 2.7.0 to 2.7.33 (excl.)

References

Problem Types

CWE-208: Observable Timing Discrepancy CWE

Impacts

Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability HIGH.