CVE-2026-40992
Awaiting Analysis Awaiting Analysis - Queue

Mail SMTP SSL Hostname Verification Bypass in Spring Boot

Vulnerability report for CVE-2026-40992, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-23

Assigner: VMware

Description

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-23
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_boot From 3.4.0 (inc) to 3.4.16 (inc)
vmware spring_boot From 3.5.0 (inc) to 3.5.14 (inc)
vmware spring_boot From 4.0.0 (inc) to 4.0.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40992 is a security vulnerability in Spring Boot's Mail auto-configuration feature where SSL hostname verification is not enabled by default.

This means that when Spring Boot configures mail sending over SSL, it does not verify that the server's hostname matches the SSL certificate, which is a critical step in preventing man-in-the-middle attacks.

Applications that explicitly set the JavaMail property `spring.mail.properties.mail.smtp.ssl.checkserveridentity=true` are not affected by this vulnerability.

Impact Analysis

This vulnerability could allow an attacker to perform man-in-the-middle attacks by bypassing SSL certificate hostname verification during mail communication.

As a result, sensitive information sent via email could be intercepted or altered without detection.

The impact includes potential loss of confidentiality, integrity, and availability of email communications.

Mitigation Strategies

The primary mitigation step is to upgrade Spring Boot to a fixed version that addresses this vulnerability.

  • Upgrade to Spring Boot 4.0.7 (OSS) or 4.0.6.1 (Enterprise Support) for the 4.0.x series.
  • Upgrade to Spring Boot 3.5.15 (OSS) or 3.5.14.1 (Enterprise Support) for the 3.5.x series.
  • Upgrade to Spring Boot 3.4.17 (Enterprise Support) for the 3.4.x series.

No additional mitigation steps are required beyond upgrading. Applications that explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true are not affected.

Compliance Impact

The vulnerability in Spring Boot's Mail auto-configuration, where SSL hostname verification is not enabled by default, could potentially allow man-in-the-middle attacks by bypassing certificate validation.

Such a security weakness may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data in transit and mandate appropriate security controls to prevent unauthorized access or interception.

However, applications that explicitly set the JavaMail property to enable hostname verification are not affected, and upgrading to fixed versions resolves the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart