CVE-2026-40975: CWE-330: Use of Insufficiently Random Values in Spring Spring Boot
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
AI Analysis
Technical Summary
This vulnerability arises from the use of weak pseudorandom number generators in Spring Boot's random value property source. Specifically, the ${random.value} property produces values that are not cryptographically secure and therefore should not be used for generating secrets. Numeric random values such as ${random.int} and ${random.long} are also predictable and unsuitable for secret generation. The issue affects Spring Boot versions 2.7.0 to 2.7.32, 3.3.0 to 3.3.18, 3.4.0 to 3.4.15, 3.5.0 to 3.5.13, and 4.0.0 to 4.0.5. Fixed versions include 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. The vulnerability is identified as CWE-330 (Use of Insufficiently Random Values).
Potential Impact
The impact is limited to the potential exposure of secrets generated using weak random values, which could lead to reduced confidentiality and integrity of those secrets. The CVSS score of 4.8 reflects a medium severity with low confidentiality and integrity impact and no availability impact. There are no known exploits in the wild.
Mitigation Recommendations
Fixed versions are available: upgrade to Spring Boot 2.7.33, 3.3.19, 3.4.16, 3.5.14, or 4.0.6 or later. Avoid using ${random.value}, ${random.int}, and ${random.long} for generating secrets. Use ${random.uuid} or other cryptographically secure random generators instead. Since a fix is available, upgrading to a patched version is the recommended remediation.
CVE-2026-40975: CWE-330: Use of Insufficiently Random Values in Spring Spring Boot
Description
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the use of weak pseudorandom number generators in Spring Boot's random value property source. Specifically, the ${random.value} property produces values that are not cryptographically secure and therefore should not be used for generating secrets. Numeric random values such as ${random.int} and ${random.long} are also predictable and unsuitable for secret generation. The issue affects Spring Boot versions 2.7.0 to 2.7.32, 3.3.0 to 3.3.18, 3.4.0 to 3.4.15, 3.5.0 to 3.5.13, and 4.0.0 to 4.0.5. Fixed versions include 2.7.33, 3.3.19, 3.4.16, 3.5.14, and 4.0.6. The vulnerability is identified as CWE-330 (Use of Insufficiently Random Values).
Potential Impact
The impact is limited to the potential exposure of secrets generated using weak random values, which could lead to reduced confidentiality and integrity of those secrets. The CVSS score of 4.8 reflects a medium severity with low confidentiality and integrity impact and no availability impact. There are no known exploits in the wild.
Mitigation Recommendations
Fixed versions are available: upgrade to Spring Boot 2.7.33, 3.3.19, 3.4.16, 3.5.14, or 4.0.6 or later. Avoid using ${random.value}, ${random.int}, and ${random.long} for generating secrets. Use ${random.uuid} or other cryptographically secure random generators instead. Since a fix is available, upgrading to a patched version is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:19:04.616Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f0134ecbff5d861057a5ce
Added to database: 4/28/2026, 1:54:22 AM
Last enriched: 4/28/2026, 1:54:50 AM
Last updated: 4/28/2026, 3:12:21 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.