CVE-2026-40976

CVE-2026-40976 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 27.04.2026 Updated: 27.04.2026

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Boot
Versions	Default: unaffected affected from 4.0.0 to 4.0.6 (excl.)

Vendor

Spring

Product

Spring Boot

Versions

Default: unaffected

affected from 4.0.0 to 4.0.6 (excl.)

References

Problem Types

CWE-862: Missing Authorization CWE

Impacts

Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability NONE.