CVE-2026-40972: CWE-208: Observable Timing Discrepancy in Spring Spring Boot
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40972) involves an observable timing discrepancy in the comparison of the DevTools remote secret in Spring Boot versions 2.7.0 through 4.0.5. An attacker positioned on the same network as the target application can leverage timing differences to deduce the secret used for remote DevTools connections. If the secret is fully determined, the attacker could upload altered classes to the application, potentially leading to remote code execution. The issue affects multiple supported and unsupported Spring Boot versions. Fixed versions include 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. The CVSS v3.1 score is 7.5, indicating high severity, with attack vector being adjacent network and requiring high attack complexity.
Potential Impact
Successful exploitation allows an attacker on the same network to discover the remote secret used by Spring Boot DevTools. This can lead to unauthorized uploading of modified classes, resulting in remote code execution within the affected application. The impact includes full confidentiality, integrity, and availability compromise as indicated by the CVSS metrics.
Mitigation Recommendations
Fixed versions are available: upgrade affected Spring Boot versions to 2.7.33, 3.3.19, 3.4.16, 3.5.14, or 4.0.6 or later. Since no vendor advisory or patch links are provided, confirm patch availability and remediation guidance from the official Spring project resources. Until patched, restrict network access to DevTools remote features to trusted networks only to reduce exposure.
CVE-2026-40972: CWE-208: Observable Timing Discrepancy in Spring Spring Boot
Description
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
CVSS v3.1
Score 7.5high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40972) involves an observable timing discrepancy in the comparison of the DevTools remote secret in Spring Boot versions 2.7.0 through 4.0.5. An attacker positioned on the same network as the target application can leverage timing differences to deduce the secret used for remote DevTools connections. If the secret is fully determined, the attacker could upload altered classes to the application, potentially leading to remote code execution. The issue affects multiple supported and unsupported Spring Boot versions. Fixed versions include 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. The CVSS v3.1 score is 7.5, indicating high severity, with attack vector being adjacent network and requiring high attack complexity.
Potential Impact
Successful exploitation allows an attacker on the same network to discover the remote secret used by Spring Boot DevTools. This can lead to unauthorized uploading of modified classes, resulting in remote code execution within the affected application. The impact includes full confidentiality, integrity, and availability compromise as indicated by the CVSS metrics.
Mitigation Recommendations
Fixed versions are available: upgrade affected Spring Boot versions to 2.7.33, 3.3.19, 3.4.16, 3.5.14, or 4.0.6 or later. Since no vendor advisory or patch links are provided, confirm patch availability and remediation guidance from the official Spring project resources. Until patched, restrict network access to DevTools remote features to trusted networks only to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:18:56.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eff011d3d5ab91023eabf3
Added to database: 4/27/2026, 11:24:01 PM
Last enriched: 5/5/2026, 2:42:25 AM
Last updated: 6/12/2026, 4:06:58 AM
Views: 105
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.