216.73.217.22

CVE-2026-40972

· Published 28/04/2026 00:16 · Modified 28/04/2026 20:11

Labels: CVE-2026-40972 2026-04-28CVE-2026-40972CWE-208[email protected]

Essential information

Published
28/04/2026 00:16
Modified
28/04/2026 20:11
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
spring / spring boot cpe:2.3:a:spring:spring_boot:4.0.0-4.0.5:*:*:*:*:*:*:*
spring / spring boot cpe:2.3:a:spring:spring_boot:3.5.0-3.5.13:*:*:*:*:*:*:*
spring / spring boot cpe:2.3:a:spring:spring_boot:3.4.0-3.4.15:*:*:*:*:*:*:*
spring / spring boot cpe:2.3:a:spring:spring_boot:3.3.0-3.3.18:*:*:*:*:*:*:*
spring / spring boot cpe:2.3:a:spring:spring_boot:2.7.0-2.7.32:*:*:*:*:*:*:*

References