CVE-2026-40975
Received Received - Intake
Predictable Random Value Vulnerability in Spring Boot Secrets

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VMware

Description
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-05-07
AI Q&A
2026-04-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40975
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_boot From 4.0.0 (inc) to 4.0.6 (exc)
vmware spring_boot From 3.3.0 (inc) to 3.3.19 (exc)
vmware spring_boot From 3.4.0 (inc) to 3.4.16 (exc)
vmware spring_boot From 3.5.0 (inc) to 3.5.14 (exc)
vmware spring_boot to 2.7.33 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability involves the use of weak pseudorandom number generators (PRNG) in certain Spring Boot versions for generating secrets, which can lead to predictable secret values.

Using insecure secrets can potentially weaken the security of systems that rely on these secrets for authentication, encryption, or data protection.

Such weaknesses may impact compliance with standards and regulations like GDPR and HIPAA, which require appropriate measures to protect sensitive data and ensure confidentiality and integrity.

However, the provided information does not explicitly describe the direct impact on compliance or specific regulatory requirements.

Mitigation involves upgrading to fixed versions of Spring Boot where the issue is resolved.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is related to the use of weak pseudorandom number generators in certain versions of Spring Boot when generating secrets using the ${random.value} property source.

Detection involves identifying if your system is running an affected version of Spring Boot (versions 2.7.0 through 2.7.32, 3.3.0 through 3.3.18, 3.4.0 through 3.4.15, 3.5.0 through 3.5.13, or 4.0.0 through 4.0.5) and if the application uses ${random.value} or other insecure random expressions for secret generation.

There are no specific network detection commands provided in the resources. However, you can check your Spring Boot application version by running commands such as:

  • For Maven projects: mvn dependency:list | grep spring-boot
  • For Gradle projects: ./gradlew dependencies --configuration runtimeClasspath | grep spring-boot

To detect usage of the vulnerable random expressions in your codebase, you can search for the strings '${random.value}', '${random.int}', or '${random.long}' in your configuration files or source code using commands like:

  • grep -r '\${random.value}' ./
  • grep -r '\${random.int}' ./
  • grep -r '\${random.long}' ./

If these expressions are found and the Spring Boot version is affected, the system is vulnerable and should be upgraded to a fixed version.


Can you explain this vulnerability to me?

CVE-2026-40975 is a security vulnerability in certain versions of Spring Boot where the random value property source uses a weak pseudorandom number generator (PRNG) that is not suitable for generating secrets.

Specifically, values produced by the `${random.value}` expression are insecure for secret generation. The `${random.uuid}` expression is not affected by this issue.

Additionally, `${random.int}` and `${random.long}` should never be used for secrets because they produce numeric values within predictable ranges, making them insecure.

The affected Spring Boot versions include 2.7.0 through 2.7.32, 3.3.0 through 3.3.18, 3.4.0 through 3.4.15, 3.5.0 through 3.5.13, and 4.0.0 through 4.0.5, including unsupported versions.


How can this vulnerability impact me? :

This vulnerability can impact you by causing secrets generated using `${random.value}`, `${random.int}`, or `${random.long}` to be weak and predictable.

Weak secrets can lead to security risks such as unauthorized access, data exposure, or compromise of systems relying on these secrets for authentication or encryption.

Since the vulnerability involves a weak pseudorandom number generator, attackers might predict or reproduce secret values, undermining the security of applications using affected Spring Boot versions.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade your Spring Boot version to a fixed release where the issue is resolved.

  • Upgrade to Spring Boot 4.0.6 or later if using 4.0.x versions.
  • Upgrade to Spring Boot 3.5.14 or later if using 3.5.x versions.
  • Upgrade to Spring Boot 3.4.16 or later if using 3.4.x versions (Enterprise Support Only).
  • Upgrade to Spring Boot 3.3.19 or later if using 3.3.x versions (Enterprise Support Only).
  • Upgrade to Spring Boot 2.7.33 or later if using 2.7.x versions (Enterprise Support Only).

No additional mitigation steps are required beyond upgrading.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart