com.devskiller.friendly-id:friendly-id-openfeign (>=2.0.0-alpha3 <=2.0.0-beta5), io.github.bluetape4k:bluetape4k-spring-boot4-cassandra (>=1.5.0 <=1.7.0) +18 more potentially affected by CVE-2026-40974 via org.springframework.boot:spring-boot-cassandra (>=4.0.0 <=4.0.5)

org.springframework.boot:spring-boot-cassandra MAVEN version =4.0.0, =2.0.0-alpha3, =1.5.0, =2.0.0-M1, =2.0.0-M1, =2.0.0-M1, =2.0.0-M1, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.5 - org.springframework.boot:spring-boot-starter-data-cassan...

GHSA-MQVW-JFMH-93QQ Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16, 3.3.0–3.3.18 fix 3.3.19, 2.7.0–2.7.32 fix 2.7.33; Cassandra SSL...

Spring Boot's random value property source uses a weak PRNG unsuitable for secrets

Values produced by $random.value are not suitable for use as secrets. $random.uuid is not affected. $random.int and $random.long should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15...

ai.hyacinth.framework:core-service-admin-server (=0.5.24), ai.hyacinth.framework:core-service-config-server (=0.5.24) +849 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=1.3.0.RELEASE <=2.7.3)

org.springframework.boot:spring-boot-devtools MAVEN version =1.3.0.RELEASE, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =1.0.0, =0.0.2, =0.0.3, =1.0.0, =1.0.5 - br.com.m4rc310:br-com-m4rc310-graphql =1.0.1 and more Source cves: CVE-2026-40972 Source...

com.digitalsanctuary:ds-spring-user-framework (>=3.0.0 <=3.1.0), com.the-qa-company:qendpoint-backend (>=2.3.0 <=2.5.1) +14 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.4.0 <=3.4.13)

org.springframework.boot:spring-boot-devtools MAVEN version =3.4.0, =3.0.0, =2.3.0, =2.3.0, =3.1.9, =3.2.0 - de.muenchen.oss.ad2image:ad2image-app =1.1.0 - org.bremersee:common-exception-spring-boot-autoconfigure =5.0.0 - org.bremersee:common-exception-spring-boot-web-starter =5.0.0 -...

Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

GHSA-9VC8-QPPQ-WVXC Spring Boot's RabbitMQ auto-configuration doesn't perform hostname verification when connecting to the RabbitMQ broker

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14 per vendor advisory...

GHSA-56V8-86GJ-66JP Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

io.github.dbmdz.cudami:cudami (>=10.0.0 <=10.2.0-rc.3), io.github.gregor-poloczek.project-maintainer:project-maintainer-ui (>=0.13.0 <=0.20.0) +9 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.5.0 <=3.5.11)

org.springframework.boot:spring-boot-devtools MAVEN version =3.5.0, =10.0.0, =0.13.0, =3.2.0, =4.1.1 Source cves: CVE-2026-40972 Source advisory: OSV:GHSA-56V8-86GJ-66JP...

com.jayxu:demo (>=0.10.0 <=0.11.0), com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example (>=3.0.9 <=3.1.0) +8 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=4.0.1 <=4.0.3)

org.springframework.boot:spring-boot-devtools MAVEN version =4.0.1, =0.10.0, =3.0.9, =3.0.9, =3.0.9, =3.0.9, =2.0.0, =2.1.1 - de.tschuehly:spring-view-component-thymeleaf =0.9.1 - io.stereov.singularity:core =1.10.6 - org.flowable:flowable-app-rest =8.0.0 - se.swedenconnect.bankid:bankid-idp =1.3...

Spring Boot's RabbitMQ auto-configuration doesn't perform hostname verification when connecting to the RabbitMQ broker

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14 per vendor advisory...

com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example (=3.0.7), com.okta.spring.examples:okta-spring-boot-redirect-code-flow-example (=3.0.7) +21 more potentially affected by CVE-2026-40972 via org.springframework.boot:spring-boot-devtools (>=3.3.0 <=3.3.1)

org.springframework.boot:spring-boot-devtools MAVEN version =3.3.0, =1.6.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1 - org.bremersee:common-exception-spring-boot-autoconfigure =1.1.0 - org.bremersee:common-exception-spring-boot-web-starter =1.1.0 -...

CVE-2026-40974

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16, 3.3.0–3.3.18 fix 3.3.19, 2.7.0–2.7.32 fix 2.7.33; Cassandra SSL...

CVE-2026-40977

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16,...

CVE-2026-40973

A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40975

Values produced by $random.value are not suitable for use as secrets. $random.uuid is not affected. $random.int and $random.long should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15...

CVE-2026-40972

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

PT-2026-35676

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input a...

Generation of Error Message Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information due to the raw message of every server-side AuthenticationException being returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker...