ROOT-APP-MAVEN-CVE-2023-20883 CVE-2023-20883 in io.root.org.springframework.boot:spring-boot-autoconfigure - Patched by Root

Root has patched CVE-2023-20883 in the io.root.org.springframework.boot:spring-boot-autoconfigure package for Root:Maven. Multiple fixed versions available...

Improper Validation of Certificate with Host Mismatch

Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch via missing hostname verification in the auto-configuration. An attacker can impersonate a trusted mail server and intercept or manipulate SMTP communications because hostname...

Insecure Temporary File

Overview Affected versions of this package are vulnerable to Insecure Temporary File via the default data directory configuration in ArtemisEmbeddedConfigurationFactory. A local attacker can tamper with or redirect the embedded Artemis broker's data storage by pre-creating the predictable data...

Security Bulletin: Due to use of spring-boot-autoconfigure-3.5.13.jar, IBM Sterling Connect:Direct Web Services is vulnerable to not perform hostname verification.

Summary spring-boot-autoconfigure-3.5.13.jar is used by IBM Sterling Connect:Direct Web Services CVE-2026-40971, CVE-2026-40974. Vulnerability Details CVEID:CVE-2026-40971 DESCRIPTION: When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname...

Security Bulletin: IBM Sterling Control Center is affected by a vulnerability in spring-boot-autoconfigure (CVE-2026-40974)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2026-40974 reported for spring-boot-autoconfigure-3.4.11.jar. Vulnerability Details CVEID:CVE-2026-40974 DESCRIPTION: Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL...

CVE-2026-40976

A flaw was found in Spring Boot. Under specific conditions, including being a servlet-based web application without custom Spring Security configuration and relying on the default web security filter chain, a remote attacker could bypass security. This allows unauthorized access to all applicatio...

ai.driftkit:driftkit-clients-spring-ai (>=0.6.0 <=0.8.7), ai.driftkit:driftkit-clients-spring-ai-starter (>=0.6.0 <=0.8.7) +328 more potentially affected by CVE-2026-41713 via org.springframework.ai:spring-ai-client-chat (>=1.0.0-M7 <=1.0.6)

org.springframework.ai:spring-ai-client-chat MAVEN version =1.0.0-M7, =0.6.0, =0.6.0, =0.6.0, =0.6.0, =0.6.0, =0.7.0, =0.6.0, =0.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.24, =1.0.27, =1.0.28 - ai.intelliswarm:swarmai-rag =1.0.28 and more Source cves: CVE-2026-41713 Source advisory:...

ch.sbb:spring-cloud-stream-binder-solace (>=8.0.0 <=9.0.2), cn.herodotus.dante:dante-authentication-autoconfigure (>=4.0.0.0-M2 <=4.0.0.0-M3) +157 more potentially affected by CVE-2026-40989 via org.springframework.cloud:spring-cloud-function-context (>=5.0.0-M1 <=5.0.1)

org.springframework.cloud:spring-cloud-function-context MAVEN version =5.0.0-M1, =8.0.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =1.0.0, =1.0.0, =2.0.0-RC1, =8.0.4 and more S...

be.appify.prefab:prefab-sns-sqs (>=0.4.0 <=0.7.1), be.appify.prefab:prefab-test (>=0.4.0 <=0.7.1) +72 more potentially affected by CVE-2026-44308 via io.awspring.cloud:spring-cloud-aws-autoconfigure (>=3.0.0-M1 <=4.0.1)

io.awspring.cloud:spring-cloud-aws-autoconfigure MAVEN version =3.0.0-M1, =0.4.0, =0.4.0, =3.2.1, =1.0.0, =1.0.3, =1.0.0, =1.0.0, =1.0.0, =4.0.0-rc.39, =4.0.0-rc.39, =4.0.0-rc.39, =5.0.2, =5.1.1 and more Source cves: CVE-2026-44308 Source advisory: SNYK:JAVA-IOAWSPRINGCLOUD-16799817...

com.alibaba.cloud.ai:spring-ai-alibaba-autoconfigure-memory-long (>=1.1.0.0 <=1.1.2.3), com.alibaba.cloud.ai:spring-ai-alibaba-starter-memory-long (>=1.1.0.0 <=1.1.2.3) +5 more potentially affected by CVE-2026-40966 via org.springframework.ai:spring-ai-advisors-vector-store (>=1.1.0 <=1.1.4)

org.springframework.ai:spring-ai-advisors-vector-store MAVEN version =1.1.0, =1.1.0.0, =1.1.0.0, =1.1.0.0, =0.0.6, =4.17.0, =4.17.0, =4.20.0 - org.vrspace:server =0.8.7 Source cves: CVE-2026-40966 Source advisory: OSV:GHSA-V6X6-PJXW-3PV2...

ai.driftkit:driftkit-vector-spring-ai (>=0.6.0 <=0.8.7), ai.driftkit:driftkit-vector-spring-ai-starter (>=0.6.0 <=0.8.7) +193 more potentially affected by CVE-2026-40967 via org.springframework.ai:spring-ai-vector-store (>=1.0.0 <=1.0.5)

org.springframework.ai:spring-ai-vector-store MAVEN version =1.0.0, =0.6.0, =0.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.24, =1.0.27, =1.0.0, =1.0.0, =1.0.28 - com.alibaba.cloud.ai.autoconfigure.memory.long:spring-ai-alibaba-autoconfigure-memory-long =1.0.0.4 -...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

EUVD-2026-25940

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40976

CVE-2026-40976 affects Spring Boot 4.0.0–4.0.5. In vulnerable configurations, a servlet-based web application that relies on Spring Boot’s default web security (no custom Spring Security config), depends on spring-boot-actuator-autoconfigure, and does not rely on spring-boot-health can experience...

PT-2026-35548

Name of the Vulnerable Software and Affected Versions Spring Boot versions 4.0.0 through 4.0.5 Description Default web security in certain configurations is ineffective, allowing unauthorized and unauthenticated access to all endpoints. This occurs when a servlet-based web application relies on t...

com.thecookiezen:archiledger-core (>=0.0.4 <=0.0.5), org.springframework.ai:spring-ai-starter-model-transformers (>=1.1.0 <=1.1.4) potentially affected by CVE-2026-40979 via org.springframework.ai:spring-ai-autoconfigure-model-transformers (>=1.1.0-M1 <=1.1.4)

org.springframework.ai:spring-ai-autoconfigure-model-transformers MAVEN version =1.1.0-M1, =0.0.4, =1.1.0, =1.1.4 Source cves: CVE-2026-40979 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16316420...

com.alibaba.cloud.ai:spring-ai-alibaba-autoconfigure-rag-elasticsearch (>=1.1.0.0 <=1.1.2.3), com.alibaba.cloud.ai:spring-ai-alibaba-rag (>=1.1.0.0 <=1.1.2.3) +2 more potentially affected by CVE-2026-40967 via org.springframework.ai:spring-ai-elasticsearch-store (>=1.1.0-M1 <=1.1.4)

org.springframework.ai:spring-ai-elasticsearch-store MAVEN version =1.1.0-M1, =1.1.0.0, =1.1.0.0, =1.1.0.0, =1.1.0, =1.1.4 Source cves: CVE-2026-40967 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16321388...

org.springframework.ai:spring-ai-starter-model-transformers (>=1.0.0 <=1.0.5) potentially affected by CVE-2026-40979 via org.springframework.ai:spring-ai-autoconfigure-model-transformers (>=1.0.0-M7 <=1.0.5)

org.springframework.ai:spring-ai-autoconfigure-model-transformers MAVEN version =1.0.0-M7, =1.0.0, =1.0.5 Source cves: CVE-2026-40979 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16316420...