CVE-2026-40976: CWE-862: Missing Authorization in Spring Spring Boot
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-40976) arises from missing authorization controls in Spring Boot's default web security configuration under specific conditions. Applications that are servlet-based, lack custom Spring Security configurations, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health are vulnerable. The flaw allows unauthorized users to access all endpoints, compromising confidentiality and integrity. The issue affects Spring Boot versions 4.0.0 to 4.0.5. The vendor has released version 4.0.6 or later to remediate this vulnerability.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to bypass authorization controls and gain unauthorized access to all application endpoints. This can lead to full compromise of sensitive data and unauthorized modification of application state. The CVSS score of 9.1 reflects critical impact on confidentiality and integrity with no required privileges or user interaction.
Mitigation Recommendations
Upgrade affected Spring Boot applications to version 4.0.6 or later as recommended by the vendor advisory. This is the official fix that addresses the missing authorization issue in the default web security configuration. Applications that do not meet the specified conditions (e.g., have custom Spring Security configuration or do not depend on spring-boot-actuator-autoconfigure) are not vulnerable.
CVE-2026-40976: CWE-862: Missing Authorization in Spring Spring Boot
Description
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-40976) arises from missing authorization controls in Spring Boot's default web security configuration under specific conditions. Applications that are servlet-based, lack custom Spring Security configurations, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health are vulnerable. The flaw allows unauthorized users to access all endpoints, compromising confidentiality and integrity. The issue affects Spring Boot versions 4.0.0 to 4.0.5. The vendor has released version 4.0.6 or later to remediate this vulnerability.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to bypass authorization controls and gain unauthorized access to all application endpoints. This can lead to full compromise of sensitive data and unauthorized modification of application state. The CVSS score of 9.1 reflects critical impact on confidentiality and integrity with no required privileges or user interaction.
Mitigation Recommendations
Upgrade affected Spring Boot applications to version 4.0.6 or later as recommended by the vendor advisory. This is the official fix that addresses the missing authorization issue in the default web security configuration. Applications that do not meet the specified conditions (e.g., have custom Spring Security configuration or do not depend on spring-boot-actuator-autoconfigure) are not vulnerable.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-16T02:19:04.616Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f0134ecbff5d861057a5d1
Added to database: 4/28/2026, 1:54:22 AM
Last enriched: 4/28/2026, 1:54:58 AM
Last updated: 4/28/2026, 2:57:15 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.