PatchSiren cyber security CVE debrief
CVE-2026-40976 Spring CVE debrief
CVE-2026-40976 is a critical vulnerability in Spring Boot that allows unauthorized access to all endpoints. The vulnerability exists when an application is a servlet-based web application, has no Spring Security configuration of its own, relies on the default web security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health. Affected versions include Spring Boot 4.0.0-4.0.5; upgrade to 4.0.6 or later as recommended by the vendor advisory. This vulnerability has a CVSS score of 9.1 and is considered critical. The CVE was published on April 28, 2026, and last modified on June 30, 2026.
- Vendor
- Spring
- Product
- Spring Boot
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-28
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-28
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Spring Boot versions 4.0.0-4.0.5 should be aware of this vulnerability and take necessary actions to mitigate it. This includes upgrading to Spring Boot 4.0.6 or later and ensuring that the application does not rely on the default web security filter chain. Additionally, users of Red Hat products that incorporate Spring Boot may need to take steps to address this vulnerability.
Technical summary
CVE-2026-40976 is a critical vulnerability in Spring Boot that allows unauthorized access to all endpoints. The vulnerability exists when an application meets certain conditions, including being a servlet-based web application with no Spring Security configuration. Affected versions include Spring Boot 4.0.0-4.0.5. The vulnerability has a CVSS score of 9.1 and is considered critical. The CWE associated with this vulnerability is CWE-862 and CWE-305.
Defensive priority
High
Recommended defensive actions
- Upgrade to Spring Boot 4.0.6 or later
- Review and update Spring Security configuration
- Verify application dependencies and configurations
- Monitor for suspicious activity
- Implement compensating controls as needed
Evidence notes
The CVE-2026-40976 vulnerability was published on April 28, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 9.1 and is considered critical. The CWE associated with this vulnerability is CWE-862 and CWE-305. The vulnerability affects Spring Boot versions 4.0.0-4.0.5.
Official resources
-
CVE-2026-40976 CVE record
CVE.org
-
CVE-2026-40976 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.