Description
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Published: 2026-04-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Update Soon
AI Analysis

Impact

This vulnerability is a timing attack that targets the remote secret comparison used by Spring Boot’s DevTools. An attacker who can communicate with the same network as the target application may measure response times to deduce bits of the secret. Once the secret is fully compromised, the attacker can upload malicious classes to the application and gain remote code execution. The weakness is defined by CWE‑208, a timing side‑channel vulnerability, and the impact ranges from inadvertent information disclosure to full remote compromise.

Affected Systems

Spring Boot versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32 are affected. Fixes are available as 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33 respectively. Unsupported Spring Boot releases are also vulnerable according to the vendor advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No EPSS data is currently available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local network attacker able to issue network requests to the remote application, leveraging timing differences to extract the secret. Successful exploitation would allow the attacker to upload arbitrary classes, achieving remote code execution on the host system.

Generated by OpenCVE AI on April 28, 2026 at 12:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Spring Boot version that includes the fix (4.0.6 or later, 3.5.14 or later, 3.4.16 or later, 3.3.19 or later, 2.7.33 or later).
  • If an upgrade is not immediately possible, disable Spring Boot DevTools or its remote secret comparison feature to eliminate the vulnerable functionality.
  • Limit network exposure of the application by ensuring that only trusted hosts or subnets can reach it, thereby preventing an attacker on the same network from carrying out the timing attack.

Generated by OpenCVE AI on April 28, 2026 at 12:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-56v8-86gj-66jp Spring Boot DevTools remote secret comparison is vulnerable to timing attacks
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Timing Attack on Spring Boot Remote Secret Comparison Enables Remote Code Execution Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 30 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Title Timing Attack on Spring Boot Remote Secret Comparison Enables Remote Code Execution
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-29T03:55:44.263Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40972

cve-icon Vulnrichment

Updated: 2026-04-28T12:45:23.300Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:24.210

Modified: 2026-04-30T14:26:30.880

Link: CVE-2026-40972

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T23:15:19Z

Links: CVE-2026-40972 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses