Description
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Published: 2026-04-27
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle via Insecure SSL to Cassandra
Action: Immediate Patch
AI Analysis

Impact

Spring Boot auto‑configures Cassandra connections over SSL but does not validate the server’s hostname in the certificate presented. This is a CWE‑295 vulnerability. It could allow an attacker to intercept or tamper with encrypted traffic if the attacker can present a forged or re‑signed certificate. The impact is potential compromise of confidentiality and integrity of the data exchanged with the Cassandra cluster.

Affected Systems

The affected products are Spring Boot 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32, all of which perform Cassandra SSL auto‑configuration. Fixed releases begin at 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33 respectively. Unsupported releases that still use Cassandra SSL auto‑configuration are also vulnerable.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity. Based on the description, it is inferred that the vulnerability can be exploited by an attacker who has network access between the Spring Boot application and the Cassandra cluster or who can impersonate the Cassandra server with a fabricated certificate. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is currently unknown. Nonetheless, the potential for internal threat actors or compromised nodes to undermine data confidentiality and integrity warrants timely mitigation.

Generated by OpenCVE AI on April 28, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Boot to the earliest patched release for your major version (for example 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33).
  • If an immediate upgrade is not feasible, replace the Cassandra auto‑configuration with a custom client configuration that enforces hostname verification or otherwise validates the presented certificate against a trusted CA.
  • Restrict and monitor the network path between the application and the Cassandra cluster, limiting connectivity to trusted subnets or a dedicated gateway, and routinely audit certificates for unexpected changes.

Generated by OpenCVE AI on April 28, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mqvw-jfmh-93qq Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification
History

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Cassandra SSL Hostname Verification Bypass in Spring Boot Auto‑Configuration Spring Boot: Cassandra: Spring Boot: Security bypass in Cassandra SSL connections
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Cassandra SSL Hostname Verification Bypass in Spring Boot Auto‑Configuration

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T12:41:52.250Z

Reserved: 2026-04-16T02:19:04.615Z

Link: CVE-2026-40974

cve-icon Vulnrichment

Updated: 2026-04-28T12:41:48.185Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:24.523

Modified: 2026-05-14T16:00:26.880

Link: CVE-2026-40974

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T23:31:40Z

Links: CVE-2026-40974 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses