CVE-2026-40972

CVE Database · CVE-2026-40972

CVE-2026-40972

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

0.28%

Published

Apr 27, 2026

Modified

Apr 30, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-208

Affected Products (5)

vmware · spring_boot (up to 2.7.33)vulnerable

vmware · spring_boot (up to 3.3.19)vulnerable

vmware · spring_boot (up to 3.4.16)vulnerable

vmware · spring_boot (up to 3.5.14)vulnerable

vmware · spring_boot (up to 4.0.6)vulnerable

References (1)

https://spring.io/security/cve-2026-40972

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs