CVE-2026-40976 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 28, 2026
Spring Boot - Broken Access Control
Overview
Spring Boot 4.0.0–4.0.5 contains a broken access control vulnerability caused by ineffective default web security configuration, letting unauthorized attackers access all endpoints, exploit requires no custom Spring Security configuration and specific dependencies.
Severity & Score
Impact
Unauthorized attackers can access all endpoints, potentially exposing sensitive data or functionality.
Mitigation
Upgrade to version 4.0.6 or later.
Social Media Activity(1 post)
Spring Boot Security Update Patches Critical Authentication Bypass and RCE Flaws Spring Boot reports three vulnerabilities, including a critical authentication bypass (CVE-2026-40976) and flaws allowing session hijacking or remote code execution via timing attacks. **If you use Spring Boot, upgrade ASAP to a patched version (4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33). Until patched, restrict access to your applications from trusted networks only and disable DevTools and Actuator endpoints in production.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/spring-boot-security-update-patches-critical-authentication-bypass-and-rce-flaws-m-w-3-i-y/gD2P6Ple2L
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40976
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 3.6%
- Social Posts
- 1
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N