CVE-2026-40972: CWE-208: Observable Timing Discrepancy in Spring Spring Boot
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40972) involves an observable timing discrepancy in the DevTools remote secret comparison mechanism of Spring Boot. An attacker on the same network segment as the target application can perform a timing attack to glean information about the secret used to authenticate remote class uploads. If the secret is fully determined, the attacker could upload altered classes, resulting in remote code execution on the affected Spring Boot application. The issue affects multiple versions of Spring Boot from 2.7.0 up to 4.0.5, with fixed versions released starting at 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. The vulnerability is classified under CWE-208 (Observable Timing Discrepancy) and carries a CVSS v3.1 score of 7.5, indicating high severity. The vendor advisory or patch links were not provided, so patch availability is not explicitly confirmed.
Potential Impact
Successful exploitation allows an attacker on the same network to perform a timing attack to discover the remote secret used by Spring Boot DevTools. This can lead to the attacker determining the secret and uploading malicious classes to the application, resulting in remote code execution. This compromises confidentiality, integrity, and availability of the affected system. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
The provided data lists fixed versions for the affected Spring Boot releases: 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. Users should upgrade to these or later versions to remediate the vulnerability. Since no vendor advisory or explicit patch status is included, confirm patch availability and upgrade guidance from the official Spring project resources before applying updates. No other mitigation details are provided.
CVE-2026-40972: CWE-208: Observable Timing Discrepancy in Spring Spring Boot
Description
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40972) involves an observable timing discrepancy in the DevTools remote secret comparison mechanism of Spring Boot. An attacker on the same network segment as the target application can perform a timing attack to glean information about the secret used to authenticate remote class uploads. If the secret is fully determined, the attacker could upload altered classes, resulting in remote code execution on the affected Spring Boot application. The issue affects multiple versions of Spring Boot from 2.7.0 up to 4.0.5, with fixed versions released starting at 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. The vulnerability is classified under CWE-208 (Observable Timing Discrepancy) and carries a CVSS v3.1 score of 7.5, indicating high severity. The vendor advisory or patch links were not provided, so patch availability is not explicitly confirmed.
Potential Impact
Successful exploitation allows an attacker on the same network to perform a timing attack to discover the remote secret used by Spring Boot DevTools. This can lead to the attacker determining the secret and uploading malicious classes to the application, resulting in remote code execution. This compromises confidentiality, integrity, and availability of the affected system. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
The provided data lists fixed versions for the affected Spring Boot releases: 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. Users should upgrade to these or later versions to remediate the vulnerability. Since no vendor advisory or explicit patch status is included, confirm patch availability and upgrade guidance from the official Spring project resources before applying updates. No other mitigation details are provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:18:56.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eff011d3d5ab91023eabf3
Added to database: 4/27/2026, 11:24:01 PM
Last enriched: 4/27/2026, 11:39:03 PM
Last updated: 4/28/2026, 1:54:54 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.