PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40975 Spring CVE debrief

CVE-2026-40975 is a medium-severity vulnerability affecting Spring Boot, a popular Java framework for building web applications. The issue arises from the insecure generation of random numbers, which can be used as secrets. Specifically, the ${random.value} function produces values that are not suitable for use as secrets. Additionally, ${random.int} and ${random.long} should not be used for secrets due to their predictable ranges. The vulnerability impacts multiple Spring Boot versions, including 4.0.0-4.0.5, 3.5.0-3.5.13, 3.4.0-3.4.15, 3.3.0-3.3.18, and 2.7.0-2.7.32. Fixes are available in versions 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33.

Vendor
Spring
Product
Spring Boot
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-06-30
Advisory published
2026-04-28
Advisory updated
2026-06-30

Who should care

Developers and security teams using Spring Boot should be aware of this vulnerability and take immediate action to mitigate the risk. The vulnerability's medium severity and potential impact on security make it essential for organizations to prioritize patching. Those using unsupported versions of Spring Boot are also affected, according to the vendor advisory.

Technical summary

The vulnerability stems from the insecure random number generation in Spring Boot. The ${random.value} function generates values that are not suitable for use as secrets. Furthermore, ${random.int} and ${random.long} produce numeric values with predictable ranges, making them unsuitable for secret generation. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 4.8, indicating a medium severity level. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.

Defensive priority

Apply the available patches to prevent potential security risks. Prioritize patching for systems and applications using affected Spring Boot versions.

Recommended defensive actions

  • Apply patches for affected Spring Boot versions: upgrade to 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33.
  • Avoid using ${random.value}, ${random.int}, and ${random.long} for generating secrets.
  • Implement alternative, secure methods for generating random numbers and secrets.
  • Review and update configurations for systems and applications using Spring Boot.
  • Monitor for potential security incidents related to this vulnerability.

Evidence notes

The CVE-2026-40975 vulnerability was published on April 28, 2026, and last modified on June 30, 2026. The vulnerability affects multiple Spring Boot versions and has a medium severity level. Fixes are available, and developers are advised to apply patches promptly.

Official resources

This article is AI-assisted and based on the supplied source corpus.