Description
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Published: 2026-04-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Boot applications that enable persistent sessions and rely on the default ApplicationTemp location can be compromised by a local attacker who has file system access on the same host. By controlling the contents of the temporary directory, the attacker can read or modify session data, enabling hijack of authenticated users. If the attacker can also inject a gadget chain into that directory, code execution under the application’s user account becomes possible. The weakness is characterized by CWE-341 and CWE-377, reflecting both predictable data usage and improper control of code and data generation.

Affected Systems

The vulnerability affects Spring:Spring Boot versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32. The fix was introduced in Spring Boot 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33, respectively. Any releases beyond those ranges, including older unsupported versions, may also be impacted.

Risk and Exploitability

The CVSS score of 7 classifies this issue as a high‑severity vulnerability, yet the exploit probability remains low, with an EPSS score of < 1%, and the vulnerability is not in the CISA KEV catalogue. Attacks require local host access, the application to have persistent sessions enabled, and the ability to read or modify the ApplicationTemp directory. Consequently, the primary threat is limited to environments where an attacker already has foothold on the same machine, but the damage—session hijacking, credential theft, and possible application‑level code execution—can be severe.

Generated by OpenCVE AI on May 8, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported Spring Boot release that includes the fix (e.g., 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 or newer).
  • Disable persistent HTTP sessions by configuring server.servlet.session.persistent=false if an upgrade cannot be performed immediately.
  • Ensure the application’s temporary directory (ApplicationTemp) is owned by a less privileged user or otherwise protected, and prevent arbitrary write access from local users.
  • Verify application configuration to enforce directory ownership checks and consider moving the temporary folder to a secure, isolated location.

Generated by OpenCVE AI on May 8, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwpq-f5c3-7hvx Spring Boot accepts predictable temp directory without ownership verification
History

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Local Directory Control Enables Session Hijacking and Code Execution in Spring Boot Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
Weaknesses CWE-341
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 30 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Title Local Directory Control Enables Session Hijacking and Code Execution in Spring Boot

Tue, 28 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Weaknesses CWE-377
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-29T03:55:43.148Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40973

cve-icon Vulnrichment

Updated: 2026-04-28T12:42:35.598Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:24.357

Modified: 2026-04-30T14:25:36.860

Link: CVE-2026-40973

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T23:29:51Z

Links: CVE-2026-40973 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T14:00:10Z

Weaknesses