Description
When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.
Published: 2026-04-27
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Corruption
Action: Patch
AI Analysis

Impact

The vulnerability resides in Spring Boot's ApplicationPidFileWriter component. A local attacker who can write to the directory where the PID file is stored can corrupt any file in that location each time the application is started. This corruption can affect application or system files, potentially leading to service disruption or other integrity violations. The weakness is a form of arbitrary file write (CWE‑59).

Affected Systems

Spring Boot versions from 2.7.0 through 4.0.5 are affected. The advisory lists specific supported versions: 2.7.0–2.7.32 (fixed in 2.7.33), 3.3.0–3.3.18 (fixed in 3.3.19), 3.4.0–3.4.15 (fixed in 3.4.16), 3.5.0–3.5.13 (fixed in 3.5.14), and 4.0.0–4.0.5 (fixed in 4.0.6). Versions that are no longer supported are also affected per vendor advisory.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity. EPSS is not available and the issue is not listed in CISA's KEV catalog. Exploitation requires a local attacker with write permission to the PID file directory; no remote attack vector is described. The risk is therefore moderate for environments where such local access is possible.

Generated by OpenCVE AI on April 28, 2026 at 12:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed Spring Boot release (4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 or newer).
  • Make the PID file directory read‑only or owned by a non‑privileged user so that a local attacker cannot write to it.
  • If the PID file writer is not needed for your deployment, disable ApplicationPidFileWriter in your Spring Boot configuration.

Generated by OpenCVE AI on April 28, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5368-6h4h-gr29 Spring Boot's PID file write follows symlinks at predictable default path
History

Thu, 30 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Thu, 30 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Local File Corruption via Spring Boot PID File Writer Misconfiguration Spring Boot: Spring Boot: Local file corruption via PID file manipulation
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Title Local File Corruption via Spring Boot PID File Writer Misconfiguration

Tue, 28 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T14:34:36.220Z

Reserved: 2026-04-16T02:19:04.616Z

Link: CVE-2026-40977

cve-icon Vulnrichment

Updated: 2026-04-28T13:55:15.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T00:16:24.947

Modified: 2026-04-30T13:37:07.597

Link: CVE-2026-40977

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T23:36:06Z

Links: CVE-2026-40977 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:45:31Z

Weaknesses