{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40976", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:19:04.616Z", "datePublished": "2026-04-27T23:34:51.422Z", "dateUpdated": "2026-04-27T23:34:51.422Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:34:51.422Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE", "cweId": "CWE-862"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability NONE."}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "modules": ["spring-boot-actuator-autoconfigure"], "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.\n\nAffected: Spring Boot 4.0.0\u20134.0.5; upgrade to 4.0.6 or later per vendor advisory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must:</p><ul><li>be a servlet-based web application</li><li>have no Spring Security configuration of its own and rely on the default web security filter chain</li><li>depend on <code>spring-boot-actuator-autoconfigure</code></li><li>not depend on <code>spring-boot-health</code></li></ul><p>If any of the above does not apply, the application is not vulnerable.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5; upgrade to 4.0.6 or later per vendor advisory.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40976"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.\n\nAffected: Spring Boot 4.0.0\u20134.0.5; upgrade to 4.0.6 or later per vendor advisory."}], "id": "CVE-2026-40976", "lastModified": "2026-04-28T00:16:24.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-28T00:16:24.803", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-40976"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring Boot", "source": "cna", "vendor": "Spring"}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-28T12:40:43.656865+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Boot to version 4.0.6 or later.", "Add explicit Spring Security configuration to enforce authentication and authorization if upgrading is not immediately possible.", "If custom security is required but cannot be added, disable spring-boot-actuator-autoconfigure or remove its dependency.", "Verify that the application does not rely on the default security filter chain."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to all endpoints"}, "threat_synthesis": {"affected_systems": "Spring Boot versions 4.0.0 through 4.0.5 are vulnerable if the application meets the above conditions. Updating to 4.0.6 or later addresses the issue.", "description_and_impact": "The vulnerability occurs when a Spring Boot application that is servlet\u2011based, uses the default web security filter chain without any custom Spring Security configuration, includes spring\u2011boot\u2011actuator\u2011autoconfigure, but does not depend on spring\u2011boot\u2011health. Under these circumstances the default security is ineffective, allowing an unauthenticated user to reach every endpoint of the application. This missing authorization flaw can expose or modify sensitive data and services, making the application vulnerable to unauthorized exploitation.", "risk_and_exploitability": "The CVSS score of 9.1 indicates critical severity. EPSS is not available, indicating no published exploit data at this time. The vulnerability is not listed in CISA KEV. The likely attack vector is exploiting the default filter chain by sending HTTP requests to any endpoint without authentication, which is feasible for an attacker who can reach the application over the network."}}}}, "created": "2026-04-28T04:15:15.758384+00:00", "title": "Default Web Security Misconfiguration in Spring Boot", "updated": "2026-04-28T12:45:31.398315+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}