PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40976 Spring CVE debrief

CVE-2026-40976 is a critical vulnerability in Spring Boot that allows unauthorized access to all endpoints. The vulnerability exists when an application is a servlet-based web application, has no Spring Security configuration of its own, relies on the default web security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health. Affected versions include Spring Boot 4.0.0-4.0.5; upgrade to 4.0.6 or later as recommended by the vendor advisory. This vulnerability has a CVSS score of 9.1 and is considered critical. The CVE was published on April 28, 2026, and last modified on June 30, 2026.

Vendor
Spring
Product
Spring Boot
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-06-30
Advisory published
2026-04-28
Advisory updated
2026-06-30

Who should care

Developers and administrators using Spring Boot versions 4.0.0-4.0.5 should be aware of this vulnerability and take necessary actions to mitigate it. This includes upgrading to Spring Boot 4.0.6 or later and ensuring that the application does not rely on the default web security filter chain. Additionally, users of Red Hat products that incorporate Spring Boot may need to take steps to address this vulnerability.

Technical summary

CVE-2026-40976 is a critical vulnerability in Spring Boot that allows unauthorized access to all endpoints. The vulnerability exists when an application meets certain conditions, including being a servlet-based web application with no Spring Security configuration. Affected versions include Spring Boot 4.0.0-4.0.5. The vulnerability has a CVSS score of 9.1 and is considered critical. The CWE associated with this vulnerability is CWE-862 and CWE-305.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Spring Boot 4.0.6 or later
  • Review and update Spring Security configuration
  • Verify application dependencies and configurations
  • Monitor for suspicious activity
  • Implement compensating controls as needed

Evidence notes

The CVE-2026-40976 vulnerability was published on April 28, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 9.1 and is considered critical. The CWE associated with this vulnerability is CWE-862 and CWE-305. The vulnerability affects Spring Boot versions 4.0.0-4.0.5.

Official resources

This article is AI-assisted and based on the supplied source corpus.