CVE-2026-40974
Received Received - Intake
SSL Hostname Verification Bypass in Spring Boot Cassandra Auto-Config

Publication date: 2026-04-28

Last updated on: 2026-04-28

Assigner: VMware

Description
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40974
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_boot From 4.0.0 (inc) to 4.0.5 (inc)
vmware spring_boot From 3.5.0 (inc) to 3.5.13 (inc)
vmware spring_boot From 3.4.0 (inc) to 3.4.15 (inc)
vmware spring_boot From 3.3.0 (inc) to 3.3.18 (inc)
vmware spring_boot From 2.7.0 (inc) to 2.7.32 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification, which can allow man-in-the-middle attacks by not verifying the server's hostname against the certificate.

This weakness could potentially impact compliance with security requirements in common standards and regulations such as GDPR and HIPAA, which mandate protecting data confidentiality and integrity during transmission.

By allowing possible interception or tampering of data in transit, the vulnerability may lead to violations of these regulations' requirements for secure communications and data protection.

Mitigation involves upgrading to fixed versions of Spring Boot that restore proper hostname verification, thereby helping maintain compliance with these standards.

Executive Summary

CVE-2026-40974 is a medium-severity vulnerability in Spring Boot's Cassandra SSL auto-configuration. The issue occurs because the auto-configuration disables TLS hostname verification when establishing SSL connections to Cassandra. This means that the system does not verify if the server's hostname matches the SSL certificate, potentially allowing man-in-the-middle attacks.

Impact Analysis

This vulnerability can allow an attacker on an adjacent network to perform a man-in-the-middle attack by intercepting SSL connections to Cassandra. Because hostname verification is disabled, the attacker could present a fraudulent certificate without being detected, potentially leading to unauthorized access or data interception. The impact on confidentiality, integrity, and availability is considered low but still present.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Spring Boot to a fixed version that addresses the vulnerability.

  • Upgrade to Spring Boot 4.0.6 or later if using the 4.0.x series.
  • Upgrade to Spring Boot 3.5.14 or later if using the 3.5.x series.
  • Upgrade to Spring Boot 3.4.16 or later if using the 3.4.x series (Enterprise Support Only).
  • Upgrade to Spring Boot 3.3.19 or later if using the 3.3.x series (Enterprise Support Only).
  • Upgrade to Spring Boot 2.7.33 or later if using the 2.7.x series (Enterprise Support Only).

No additional mitigation steps are necessary beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart