CVE-2026-40976: CWE-862: Missing Authorization in Spring Spring Boot
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40976) involves missing authorization controls in Spring Boot's default web security configuration. When an application is servlet-based, lacks custom Spring Security configuration, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default security filter chain fails to enforce authorization, enabling unauthorized access to all endpoints. The affected versions are Spring Boot 4.0.0 through 4.0.5. The vendor advisory recommends upgrading to version 4.0.6 or later to remediate the issue.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to access all endpoints of affected Spring Boot applications without authorization, potentially leading to full compromise of application data and functionality. The CVSS score of 9.1 reflects the critical nature of the impact, with high confidentiality and integrity impact and no required privileges or user interaction for exploitation.
Mitigation Recommendations
A fix is available by upgrading affected Spring Boot applications to version 4.0.6 or later as per the vendor advisory. Applications should verify their Spring Security configuration and dependencies to ensure they do not rely solely on the default security filter chain in vulnerable versions. Patch status is confirmed by the vendor advisory recommending the upgrade.
CVE-2026-40976: CWE-862: Missing Authorization in Spring Spring Boot
Description
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
CVSS v3.1
Score 9.1critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40976) involves missing authorization controls in Spring Boot's default web security configuration. When an application is servlet-based, lacks custom Spring Security configuration, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default security filter chain fails to enforce authorization, enabling unauthorized access to all endpoints. The affected versions are Spring Boot 4.0.0 through 4.0.5. The vendor advisory recommends upgrading to version 4.0.6 or later to remediate the issue.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to access all endpoints of affected Spring Boot applications without authorization, potentially leading to full compromise of application data and functionality. The CVSS score of 9.1 reflects the critical nature of the impact, with high confidentiality and integrity impact and no required privileges or user interaction for exploitation.
Mitigation Recommendations
A fix is available by upgrading affected Spring Boot applications to version 4.0.6 or later as per the vendor advisory. Applications should verify their Spring Security configuration and dependencies to ensure they do not rely solely on the default security filter chain in vulnerable versions. Patch status is confirmed by the vendor advisory recommending the upgrade.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:19:04.616Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f0134ecbff5d861057a5d1
Added to database: 4/28/2026, 1:54:22 AM
Last enriched: 5/5/2026, 2:42:58 AM
Last updated: 6/12/2026, 5:16:55 AM
Views: 145
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.