Description
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Published: 2026-04-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when a Spring Boot application that is servlet‑based, uses the default web security filter chain without any custom Spring Security configuration, includes spring‑boot‑actuator‑autoconfigure, but does not depend on spring‑boot‑health. Under these circumstances the default security is ineffective, allowing an unauthenticated user to reach every endpoint of the application. This missing authorization flaw (CWE‑862) and the insecure default configuration (CWE‑305) can expose or modify sensitive data and services, making the application vulnerable to unauthorized exploitation.

Affected Systems

Spring Boot versions 4.0.0 through 4.0.5 are vulnerable if the application meets the above conditions. Updating to 4.0.6 or later addresses the issue.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity. The EPSS score of < 1% indicates a very low but non‑zero probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is exploiting the default filter chain by sending HTTP requests to any endpoint without authentication, which is feasible for an attacker who can reach the application over the network.

Generated by OpenCVE AI on May 14, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Boot to version 4.0.6 or later.
  • Add explicit Spring Security configuration to enforce authentication and authorization if upgrading is not immediately possible.
  • If custom security is required but cannot be added, disable spring‑boot‑actuator‑autoconfigure or remove its dependency.

Generated by OpenCVE AI on May 14, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8v8j-3hxp-93wr Spring Boot's default security filter chain has no authorization rule with Actuator but without Health
History

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Default Web Security Misconfiguration in Spring Boot Spring Boot: Spring Boot: Security bypass due to ineffective default web security
Weaknesses CWE-305
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 30 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Title Default Web Security Misconfiguration in Spring Boot

Tue, 28 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-29T03:55:41.205Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40976

cve-icon Vulnrichment

Updated: 2026-04-28T13:54:57.821Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:24.803

Modified: 2026-04-30T13:54:12.847

Link: CVE-2026-40976

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-27T23:34:51Z

Links: CVE-2026-40976 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:16Z

Weaknesses