Strix
26.1K

CVE-2026-40972

HIGHCVSS 7.5/10EPSS 0.26%

Last modified

CVE-2026-40972 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. EPSS estimates a 0.26% chance of exploitation in the next 30 days.

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.26%

17.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
VmwareSpring Boot< 2.7.33
VmwareSpring Boot>= 3.3.0, < 3.3.19
VmwareSpring Boot>= 3.4.0, < 3.4.16
VmwareSpring Boot>= 3.5.0, < 3.5.14
VmwareSpring Boot>= 4.0.0, < 4.0.6

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-40972?
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
How severe is CVE-2026-40972?
CVE-2026-40972 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.26% probability of exploitation in the next 30 days.
How do I fix CVE-2026-40972?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-40972?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST