CVE-2026-40976
Unauthorized Access via Default Web Security in Spring Boot 4.x
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_boot | From 4.0.0 (inc) to 4.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40976 is a critical security vulnerability in Spring Boot versions 4.0.0 through 4.0.5 that affects servlet-based web applications relying solely on Spring Boot's default web security filter chain without any custom Spring Security configuration.
The vulnerability occurs when the application includes the spring-boot-actuator-autoconfigure dependency but does not include the spring-boot-health dependency. Under these conditions, the default security filter chain does not enforce authorization rules on Actuator endpoints (except Health), allowing unauthorized access to all endpoints.
This flaw enables attackers to bypass authorization controls on Actuator endpoints, potentially exposing sensitive operational information or control interfaces.
The issue is fixed in Spring Boot version 4.0.6 and later.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by allowing attackers to gain unauthorized access to all Actuator endpoints of a vulnerable Spring Boot application.
Such unauthorized access can expose sensitive operational information or control interfaces, which could lead to further exploitation or compromise of the application.
Because the vulnerability requires no privileges or user interaction and can be exploited remotely over the network, it poses a high risk to affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects servlet-based Spring Boot web applications that rely solely on the default web security filter chain, include the spring-boot-actuator-autoconfigure dependency, and do not include the spring-boot-health dependency.
Detection involves verifying if your application meets these conditions and checking if unauthorized access to Actuator endpoints (other than Health) is possible.
Specific commands or network detection methods are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Spring Boot from versions 4.0.0 through 4.0.5 to version 4.0.6 or later, where the vulnerability is fixed.
No additional mitigation steps are necessary beyond this upgrade.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to all endpoints of affected Spring Boot applications, potentially exposing sensitive operational information or control interfaces.
Such unauthorized access can lead to breaches of confidentiality and integrity of data, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive information.
Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing protected data or system controls to unauthorized parties.