CVE-2026-40970
SSL Hostname Verification Bypass in Spring Boot Elasticsearch Auto-Config
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pivotal | spring_boot | From 4.0.0 (inc) to 4.0.5 (inc) |
| vmware | spring_boot | From 4.0.0 (inc) to 4.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40970 is a medium-severity vulnerability in Spring Boot versions 4.0.0 through 4.0.5. It occurs when Spring Boot's Elasticsearch auto-configuration is set to use an SSL bundle. In this setup, the system does not perform TLS hostname verification when connecting to the Elasticsearch server.
This means that the client accepts SSL certificates without verifying that the certificate's hostname matches the server's hostname, which can allow man-in-the-middle attacks.
The issue was fixed in Spring Boot version 4.0.6, and upgrading to this or later versions is the recommended mitigation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker positioned on an adjacent network to perform a man-in-the-middle attack by presenting a certificate that does not match the Elasticsearch server's hostname.
Such an attack could lead to limited impacts on confidentiality, integrity, and availability of data exchanged between the client and the Elasticsearch server.
However, the attack complexity is high, no privileges are required, and no user interaction is needed.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade Spring Boot from versions 4.0.0 through 4.0.5 to version 4.0.6 or later.
No additional mitigation steps are necessary beyond upgrading.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability disables TLS hostname verification when Spring Boot's Elasticsearch auto-configuration uses an SSL bundle, potentially allowing man-in-the-middle attacks by accepting certificates that do not match the server's hostname.
This security weakness could lead to unauthorized interception or alteration of data transmitted between the application and Elasticsearch, which may impact the confidentiality and integrity of sensitive information.
As a result, organizations using affected versions of Spring Boot might face challenges in maintaining compliance with data protection standards and regulations such as GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data.
Mitigation by upgrading to Spring Boot 4.0.6 or later is necessary to restore proper hostname verification and reduce the risk of non-compliance due to this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when Spring Boot's Elasticsearch auto-configuration is set to use an SSL bundle but does not perform hostname verification. Detection involves identifying if your system is running Spring Boot versions 4.0.0 through 4.0.5 with Elasticsearch auto-configuration using SSL.
To detect this on your system, you can check the Spring Boot version in use and review your application's configuration files for Elasticsearch SSL bundle usage.
- Check Spring Boot version by running: java -jar your-app.jar --version or inspecting your build files (e.g., pom.xml or build.gradle).
- Search your configuration files (application.properties or application.yml) for Elasticsearch SSL bundle settings, such as properties related to SSL or TLS.
- Use network monitoring tools to inspect TLS connections to Elasticsearch servers and verify if hostname verification is enforced (though this may require advanced TLS inspection).