Zero Day MonitorZDM

← Back to list

9.1

CVE-2026-40976EXPLOITEDPATCHED

spring · spring boot

CVE-2026-40976: In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoint

Description

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Affected Products

Vendor	Product	Versions
spring	spring boot	4.0.0

References

https://spring.io/security/cve-2026-40976

Related News (1 articles)

Tier C

VulDB1d ago

CVE-2026-40976 | Vmware Spring Boot up to 4.0.5 Health authorization

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

4.0.6

CWECWE-862

PublishedApr 27, 2026

Last enriched1d agov2

Tags

health authorization

Trending Score55

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-40967EXP

CVE-2026-40967: In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to

HIGHCVE-2026-40978EXP

CVE-2026-40978: SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via c

MEDIUMCVE-2026-40966EXP

VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

HIGHCVE-2026-40968EXP

Spring gRPC SecurityContext leaks across requests on authorization failure

CRITICALCVE-2026-40974EXP

CVE-2026-40974: Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 27, 2026

Discovered by ZDM

Apr 28, 2026

Updated: description, activelyExploited, tags

Apr 28, 2026

Actively Exploited

Apr 29, 2026

Patch Available

Apr 29, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated description with details about the Health Handler and marked the vulnerability as actively exploited.

descriptionactivelyExploitedtags

via VulDB

v11d ago

Initial creation