{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/spring-boot/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40976"},{"cvss":7,"id":"CVE-2026-40973"},{"cvss":7.5,"id":"CVE-2026-40972"}],"_cs_exploited":false,"_cs_products":["Spring Boot"],"_cs_severities":["critical"],"_cs_tags":["spring-boot","vulnerability","rce","authentication-bypass","session-hijacking"],"_cs_type":"advisory","_cs_vendors":["Spring"],"content_html":"\u003cp\u003eA set of critical vulnerabilities has been discovered in Spring Boot, a widely used Java framework for building web applications and backend services. These vulnerabilities, including CVE-2026-40976 (CVSS 9.1), CVE-2026-40973 (CVSS 7.0), and CVE-2026-40972 (CVSS 7.5), pose a significant threat to organizations using affected versions (specifically versions before 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33). Successful exploitation could lead to unauthorized access, session hijacking, and remote code execution, impacting the confidentiality, integrity, and availability of critical business systems. The initial advisory was released by CCB Belgium on April 28, 2026, urging immediate patching.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (CVE-2026-40976 - Authentication Bypass):\u003c/strong\u003e An attacker sends a crafted HTTP request to a vulnerable Spring Boot application endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Default Configuration:\u003c/strong\u003e If the application is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default web security configuration fails to enforce authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e Due to the authorization bypass, the attacker gains unauthorized access to all application endpoints without proper authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSession Hijacking (CVE-2026-40973):\u003c/strong\u003e A local attacker exploits the vulnerability to take control of the ApplicationTemp directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution (CVE-2026-40973):\u003c/strong\u003e Once in control of the ApplicationTemp directory, the attacker can potentially execute arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTiming Attack (CVE-2026-40972):\u003c/strong\u003e An attacker on the same network conducts a timing attack against the DevTools remote secret.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution (CVE-2026-40972):\u003c/strong\u003e By successfully exploiting the timing attack, the attacker can potentially achieve remote code execution on the vulnerable server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker gains full control of the system, allowing for data exfiltration, system compromise, and operational downtime.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these Spring Boot vulnerabilities can lead to significant damage, including unauthorized access to sensitive data, complete system compromise, and extended operational downtime. The potential number of victims is vast, considering the widespread use of Spring Boot in various sectors including finance, healthcare, and e-commerce. If an attacker successfully exploits these vulnerabilities, they could steal sensitive customer data, disrupt critical business operations, or deploy ransomware, resulting in significant financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Spring Boot applications to the latest versions (\u0026gt;=4.0.6, \u0026gt;=3.5.14, \u0026gt;=3.4.16, \u0026gt;=3.3.19, \u0026gt;=2.7.33) to address CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Access to Actuator Endpoints\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-40976 by monitoring access to sensitive actuator endpoints.\u003c/li\u003e\n\u003cli\u003eUpscale monitoring and detection capabilities to identify any related suspicious activity as recommended by the CCB.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any potentially compromised systems following the patching process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-spring-boot-vulns/","summary":"Multiple vulnerabilities in Spring Boot, including CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972, can allow attackers to bypass authorization, hijack sessions, or achieve remote code execution, potentially leading to data breaches and system compromise.","title":"Multiple Vulnerabilities in Spring Boot Allow Authorization Bypass and Potential RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-spring-boot-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Spring Boot","version":"https://jsonfeed.org/version/1.1"}