Description
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected.

Affected versions:
Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
Published: 2026-06-11
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Boot’s mail auto‑configuration fails to enable SSL hostname verification when the application relies on defaults. As a result, a malicious SMTP server can present a forged certificate and the client will accept it, allowing the attacker to intercept or modify email traffic and potentially harvest credentials or other sensitive data. The weakness is a lack of an integrity check for the server identity, which can lead to data confidentiality and authentication failures.

Affected Systems

Spring Boot versions 4.0.0 through 4.0.6, 3.5.0 through 3.5.14, and 3.4.0 through 3.4.16 are affected. Upstream five minors before 4.0.7, 3.5.15, and 3.4.17 contain the fix and should be used if possible.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker who can control or spoof the SMTP server the application connects to; the effort to exploit is low as no privileged access or code execution is required. Proper mitigation removes the ability for an attacker to perform a man‑in‑the‑middle attack against the client’s email transport.

Generated by OpenCVE AI on June 11, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Boot to the latest release that enables hostname verification (e.g., 4.0.7 or newer, 3.5.15 or newer, 3.4.17 or newer).
  • If an upgrade is infeasible, explicitly configure JavaMail by setting spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to enable hostname verification in legacy releases.
  • Verify that all SMTP connections use TLS and that hostname verification is active before deployment.

Generated by OpenCVE AI on June 11, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40992 cve-icon cve-icon
History

Thu, 11 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
Title Mail Auto-Configuration Does Not Enable SSL Hostname Verification
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Spring Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:03:53.539Z

Reserved: 2026-04-16T02:19:09.389Z

Link: CVE-2026-40992

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:27.177

Modified: 2026-06-11T07:16:27.177

Link: CVE-2026-40992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses