Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-40976 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-28 |
| Vendor | VMware |
| Product | Spring Boot |
| CVSS Score | 9.1 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
In certain circumstances, Spring Boot’s default web security is ineffective, allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; and not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0-4.0.5; upgrade to a patched release.
Required Actions
Update Spring Boot to a version newer than 4.0.5 containing the patch immediately. Until the patch is deployed, add an explicit Spring Security configuration for all endpoints or add a spring-boot-health dependency, which disables the vulnerable default configuration path. Review application logs and HTTP traffic for unauthorized access to /actuator/* and other protected resources.
Who Is Affected?
This vulnerability affects Spring Boot by VMware. Check whether your organization uses Spring Boot 4.0.0-4.0.5 with spring-boot-actuator-autoconfigure without a custom Spring Security configuration, and update the framework to a patched version without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
