Description
When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Published: 2026-04-27
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle via unverified SSL hostname
Action: Apply Patch
AI Analysis

Impact

Spring Boot's Elasticsearch auto‑configuration, when set to use an SSL bundle, omits hostname verification when establishing a TLS connection to the Elasticsearch server. Without this check, an attacker could present a certificate for any hostname, leading a Spring Boot application to trust the connection and potentially intercept or modify traffic. The vulnerability does not provide direct code execution but can compromise confidentiality and integrity of data exchanged with Elasticsearch.

Affected Systems

Vendors and products affected are Spring and Spring Boot. The vulnerable range covers Spring Boot 4.0.0 through 4.0.5. The vendor advisory recommends upgrading to Spring Boot 4.0.6 or later.

Risk and Exploitability

The CVSS score of 5 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a network‑level adversary who can introduce a malicious Elasticsearch server or intercept traffic between the Spring Boot application and Elasticsearch. Exacerbated conditions include environments that do not enforce hostname verification in TLS. While exploitation is feasible when the application can reach an attacker‑controlled Elasticsearch endpoint, the absence of a publicly available exploit reduces immediate risk but warrants timely remediation.

Generated by OpenCVE AI on April 28, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring Boot 4.0.6 or later as advised by the vendor
  • If upgrade is delayed, enforce hostname verification or use certificate pinning in the Elasticsearch client configuration
  • Restrict outbound connections from the Spring Boot application to trusted Elasticsearch endpoints only, possibly via firewall rules or network segmentation

Generated by OpenCVE AI on April 28, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c96x-rpm4-349p Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.
History

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Missing Hostname Verification in Spring Boot Elasticsearch Auto-Configuration Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Missing Hostname Verification in Spring Boot Elasticsearch Auto-Configuration

Tue, 28 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-27T19:30:55.167Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40970

cve-icon Vulnrichment

Updated: 2026-04-27T19:30:49.787Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T19:16:52.967

Modified: 2026-05-14T16:09:59.503

Link: CVE-2026-40970

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T19:09:58Z

Links: CVE-2026-40970 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses