CVE-2026-40992
Received Received - Intake
Mail SMTP SSL Hostname Verification Bypass in Spring Boot

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-40992
EUVD
EUVD-2026-36203
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_boot From 3.4.0 (inc) to 3.4.16 (inc)
vmware spring_boot From 3.5.0 (inc) to 3.5.14 (inc)
vmware spring_boot From 4.0.0 (inc) to 4.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40992 is a security vulnerability in Spring Boot's Mail auto-configuration feature where SSL hostname verification is not enabled by default.

This means that when Spring Boot configures mail sending over SSL, it does not verify that the server's hostname matches the SSL certificate, which is a critical step in preventing man-in-the-middle attacks.

Applications that explicitly set the JavaMail property `spring.mail.properties.mail.smtp.ssl.checkserveridentity=true` are not affected by this vulnerability.

Compliance Impact

The vulnerability in Spring Boot's Mail auto-configuration, where SSL hostname verification is not enabled by default, could potentially allow man-in-the-middle attacks by bypassing certificate validation.

Such a security weakness may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data in transit and mandate appropriate security controls to prevent unauthorized access or interception.

However, applications that explicitly set the JavaMail property to enable hostname verification are not affected, and upgrading to fixed versions resolves the issue.

Impact Analysis

This vulnerability could allow an attacker to perform man-in-the-middle attacks by bypassing SSL certificate hostname verification during mail communication.

As a result, sensitive information sent via email could be intercepted or altered without detection.

The impact includes potential loss of confidentiality, integrity, and availability of email communications.

Mitigation Strategies

The primary mitigation step is to upgrade Spring Boot to a fixed version that addresses this vulnerability.

  • Upgrade to Spring Boot 4.0.7 (OSS) or 4.0.6.1 (Enterprise Support) for the 4.0.x series.
  • Upgrade to Spring Boot 3.5.15 (OSS) or 3.5.14.1 (Enterprise Support) for the 3.5.x series.
  • Upgrade to Spring Boot 3.4.17 (Enterprise Support) for the 3.4.x series.

No additional mitigation steps are required beyond upgrading. Applications that explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true are not affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart