CVE-2026-40973
Received Received - Intake
Session Hijacking and RCE via Temp Directory Vulnerability in Spring Boot

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VMware

Description
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40973
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_boot From 4.0.0 (inc) to 4.0.6 (exc)
vmware spring_boot From 3.3.0 (inc) to 3.3.19 (exc)
vmware spring_boot From 3.4.0 (inc) to 3.4.16 (exc)
vmware spring_boot From 3.5.0 (inc) to 3.5.14 (exc)
vmware spring_boot to 2.7.33 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40973 is a high-severity vulnerability in multiple versions of Spring Boot where, if the configuration property server.servlet.session.persistent is set to true, the application uses a predictable temporary directory named ApplicationTemp without verifying directory ownership.

A local attacker on the same host can exploit this by taking control of the ApplicationTemp directory. This control can persist across application restarts.

Exploiting this vulnerability may allow the attacker to read session information, hijack authenticated users' sessions, or deploy a gadget chain to execute arbitrary code with the application's user privileges.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive session information and the ability for an attacker to hijack authenticated user sessions.

Additionally, an attacker could execute arbitrary code with the same privileges as the application user, potentially leading to full compromise of the application environment.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the affected Spring Boot versions to the fixed versions.

  • Upgrade Spring Boot 4.0.x to 4.0.6 (Open Source)
  • Upgrade Spring Boot 3.5.x to 3.5.14 (Open Source)
  • Upgrade Spring Boot 3.4.x to 3.4.16 (Enterprise Support Only)
  • Upgrade Spring Boot 3.3.x to 3.3.19 (Enterprise Support Only)
  • Upgrade Spring Boot 2.7.x to 2.7.33 (Enterprise Support Only)

No additional mitigation steps are necessary beyond upgrading.

Compliance Impact

This vulnerability allows a local attacker to read session information and hijack authenticated users, potentially leading to unauthorized access to sensitive data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Detection Guidance

This vulnerability involves a local attacker taking control of the predictable temporary directory used by the application (`ApplicationTemp`) when the configuration property `server.servlet.session.persistent` is set to true. Detection involves verifying if your Spring Boot application is running a vulnerable version and if this configuration is enabled.

You can check the Spring Boot version your application is using and the value of the `server.servlet.session.persistent` property.

  • Check Spring Boot version (example for a Java application):
  • - Inspect your build files (e.g., `pom.xml` for Maven or `build.gradle` for Gradle) for the Spring Boot version.
  • - Or run the application with `java -jar yourapp.jar --version` if supported.
  • Check if `server.servlet.session.persistent` is set to true in your configuration files (`application.properties` or `application.yml`):
  • - For properties file: `grep server.servlet.session.persistent application.properties`
  • - For YAML file: `grep server.servlet.session.persistent application.yml`

Additionally, you can inspect the ownership and permissions of the temporary directory used by the application to detect if it is controlled by an unexpected user, which might indicate exploitation.

  • List the directory and check ownership (example command): `ls -ld /path/to/ApplicationTemp`
  • Check for suspicious files or symbolic links inside the temp directory that could indicate an attack.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart