Executive Summary

CVE-2026-40976 is a critical security vulnerability in Spring Boot versions 4.0.0 through 4.0.5 that affects servlet-based web applications relying solely on Spring Boot's default web security filter chain without any custom Spring Security configuration.

The vulnerability occurs when the application includes the spring-boot-actuator-autoconfigure dependency but does not include the spring-boot-health dependency. Under these conditions, the default security filter chain does not enforce authorization rules on Actuator endpoints (except Health), allowing unauthorized access to all endpoints.

This flaw enables attackers to bypass authorization controls on Actuator endpoints, potentially exposing sensitive operational information or control interfaces.

The issue is fixed in Spring Boot version 4.0.6 and later.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts by allowing attackers to gain unauthorized access to all Actuator endpoints of a vulnerable Spring Boot application.

Such unauthorized access can expose sensitive operational information or control interfaces, which could lead to further exploitation or compromise of the application.

Because the vulnerability requires no privileges or user interaction and can be exploited remotely over the network, it poses a high risk to affected systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects servlet-based Spring Boot web applications that rely solely on the default web security filter chain, include the spring-boot-actuator-autoconfigure dependency, and do not include the spring-boot-health dependency.

Detection involves verifying if your application meets these conditions and checking if unauthorized access to Actuator endpoints (other than Health) is possible.

Specific commands or network detection methods are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade Spring Boot from versions 4.0.0 through 4.0.5 to version 4.0.6 or later, where the vulnerability is fixed.

No additional mitigation steps are necessary beyond this upgrade.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to all endpoints of affected Spring Boot applications, potentially exposing sensitive operational information or control interfaces.

Such unauthorized access can lead to breaches of confidentiality and integrity of data, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing protected data or system controls to unauthorized parties.

Useful 0 Not Useful 0