PatchSiren cyber security CVE debrief
CVE-2026-40975 Spring CVE debrief
CVE-2026-40975 is a medium-severity vulnerability affecting Spring Boot, a popular Java framework for building web applications. The issue arises from the insecure generation of random numbers, which can be used as secrets. Specifically, the ${random.value} function produces values that are not suitable for use as secrets. Additionally, ${random.int} and ${random.long} should not be used for secrets due to their predictable ranges. The vulnerability impacts multiple Spring Boot versions, including 4.0.0-4.0.5, 3.5.0-3.5.13, 3.4.0-3.4.15, 3.3.0-3.3.18, and 2.7.0-2.7.32. Fixes are available in versions 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33.
- Vendor
- Spring
- Product
- Spring Boot
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-28
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-28
- Advisory updated
- 2026-06-30
Who should care
Developers and security teams using Spring Boot should be aware of this vulnerability and take immediate action to mitigate the risk. The vulnerability's medium severity and potential impact on security make it essential for organizations to prioritize patching. Those using unsupported versions of Spring Boot are also affected, according to the vendor advisory.
Technical summary
The vulnerability stems from the insecure random number generation in Spring Boot. The ${random.value} function generates values that are not suitable for use as secrets. Furthermore, ${random.int} and ${random.long} produce numeric values with predictable ranges, making them unsuitable for secret generation. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 4.8, indicating a medium severity level. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.
Defensive priority
Apply the available patches to prevent potential security risks. Prioritize patching for systems and applications using affected Spring Boot versions.
Recommended defensive actions
- Apply patches for affected Spring Boot versions: upgrade to 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33.
- Avoid using ${random.value}, ${random.int}, and ${random.long} for generating secrets.
- Implement alternative, secure methods for generating random numbers and secrets.
- Review and update configurations for systems and applications using Spring Boot.
- Monitor for potential security incidents related to this vulnerability.
Evidence notes
The CVE-2026-40975 vulnerability was published on April 28, 2026, and last modified on June 30, 2026. The vulnerability affects multiple Spring Boot versions and has a medium severity level. Fixes are available, and developers are advised to apply patches promptly.
Official resources
-
CVE-2026-40975 CVE record
CVE.org
-
CVE-2026-40975 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.