Vulnerability Description
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Boot | >= 4.0.0, < 4.0.6 |
Related Weaknesses (CWE)
References
- https://spring.io/security/cve-2026-40976Vendor Advisory
FAQ
What is CVE-2026-40976?
CVE-2026-40976 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web applicat...
How severe is CVE-2026-40976?
CVE-2026-40976 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-40976?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Boot.