Description
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Published: 2026-04-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Weak random secret generation can lead to compromise of sensitive credentials
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from the Random Value Property Source in Spring Boot, which uses weak pseudo‑random number generators to produce values labeled as secrets. Generators such as ${random.int} and ${random.long} produce predictable numeric outputs within a limited range, making them unsuitable for cryptographic keys, passwords, or other secrets that must remain confidential. This weakness is classified as CWE‑330: Use of Cryptographically Weak or Predictable Pseudorandom Number Generator.

Affected Systems

Spring Boot releases 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32 are affected. The flaw is fixed in 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33 respectively. Any application that relies on the Random Value Property Source to generate secrets should be treated as vulnerable unless it has been upgraded or the source replaced with a secure generator.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity, and the EPSS score is not available. The vulnerability is not present in CISA’s KEV catalog, implying no confirmed public exploitation. The attack vector, while not explicitly documented, is likely to be local or network based on configuration access. An attacker who can influence or observe the application’s configuration or logging streams may predict or discover the generated secret values due to the predictability of the weak PRNG. Consequently, the risk remains significant enough to warrant prompt mitigation.

Generated by OpenCVE AI on April 28, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed Spring Boot release: 4.0.6 or later, 3.5.14 or later, 3.4.16 or later, 3.3.19 or later, or 2.7.33 or later.
  • Replace any usage of ${random.int} or ${random.long} for secret generation with a cryptographically secure source such as java.security.SecureRandom or UUID.
  • If upgrade is not immediately possible, disable the Random Value Property Source for secret generation or ensure it is not exposed to untrusted input, and use a secure generator for critical secrets.

Generated by OpenCVE AI on April 28, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m4x9-hx6x-2c43 Spring Boot's random value property source uses a weak PRNG unsuitable for secrets
References
Link Providers
https://spring.io/security/cve-2026-40975 cve-icon cve-icon
History

Thu, 30 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Weak Random Number Generator Used for Secrets in Spring Boot

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T14:35:05.760Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40975

cve-icon Vulnrichment

Updated: 2026-04-28T13:51:35.949Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:24.657

Modified: 2026-04-30T13:57:15.473

Link: CVE-2026-40975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses