Zero Day MonitorZDM

← Back to list

5.0

CVE-2026-40974EXPLOITEDPATCHED

spring · spring boot

CVE-2026-40974: Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to

Description

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

Affected Products

Vendor	Product	Versions
spring	spring boot	4.0.0, 3.5.0, 3.4.0, 3.3.0, 2.7.0

References

https://spring.io/security/cve-2026-40974

Related News (1 articles)

Tier C

VulDB1d ago

CVE-2026-40974 | Vmware Spring Boot up to 4.0.5 Cassandra Auto-Configuration certificate validation

→ No new info (linked only)

CVSS 3.15.0 CRITICAL

VectorCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

4.0.63.5.143.4.163.3.192.7.33

CWECWE-295

PublishedApr 27, 2026

Last enriched1d agov2

Trending Score42

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-40967EXP

CVE-2026-40967: In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to

CRITICALCVE-2026-40976EXP

CVE-2026-40976: In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoint

HIGHCVE-2026-40978EXP

CVE-2026-40978: SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via c

MEDIUMCVE-2026-40966EXP

VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

HIGHCVE-2026-40968EXP

Spring gRPC SecurityContext leaks across requests on authorization failure

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 27, 2026

Actively Exploited

Apr 28, 2026

Patch Available

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026

Updated: severity, activelyExploited

Apr 28, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v11d ago

Initial creation