CVE-2026-40973

CVE-2026-40973 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 27.04.2026 Updated: 27.04.2026

A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / ApplicationTemp ownership verification. Versions that are no longer supported are also affected per vendor advisory.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Boot
Versions	Default: unaffected affected from 4.0.0 to 4.0.6 (excl.) affected from 3.5.0 to 3.5.14 (excl.) affected from 3.4.0 to 3.4.16 (excl.) affected from 3.3.0 to 3.3.19 (excl.) affected from 2.7.0 to 2.7.33 (excl.)

Vendor

Spring

Product

Spring Boot

Versions

Default: unaffected

affected from 4.0.0 to 4.0.6 (excl.)
affected from 3.5.0 to 3.5.14 (excl.)
affected from 3.4.0 to 3.4.16 (excl.)
affected from 3.3.0 to 3.3.19 (excl.)
affected from 2.7.0 to 2.7.33 (excl.)

References

Problem Types

CWE-377: Insecure Temporary File CWE

Impacts

Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability HIGH.