CVE-2026-40972
Published: 28 April 2026
Summary
CVE-2026-40972 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Vmware Spring Boot. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the timing side-channel vulnerability in Spring Boot DevTools remote secret comparison, directly preventing exploitation as recommended by the vendor.
Boundary protection monitors and controls communications at external interfaces, preventing adjacent network attackers from reaching the vulnerable application to perform the timing attack.
Least functionality configures the system to disable non-essential DevTools remote features in production, reducing exposure to the remote secret timing vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The timing side-channel vulnerability in Spring Boot DevTools enables recovery of the remote secret, directly facilitating remote code execution via class upload on the affected application, mapping to exploitation of a public-facing application.
NVD Description
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed…
more
classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Deeper analysisAI
CVE-2026-40972 is a timing side-channel vulnerability (CWE-208) in the remote secret comparison mechanism of Spring Boot DevTools. It affects Spring Boot versions 4.0.0 through 4.0.5 (fixed in 4.0.6), 3.5.0 through 3.5.13 (fixed in 3.5.14), 3.4.0 through 3.4.15 (fixed in 3.4.16), 3.3.0 through 3.3.18 (fixed in 3.3.19), and 2.7.0 through 2.7.32 (fixed in 2.7.33). Versions no longer supported are also vulnerable according to the vendor advisory. The issue has a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
An adjacent attacker on the same network as the vulnerable Spring Boot application can exploit this through a timing attack to leak information about the DevTools remote secret. In extreme cases, successful exploitation allows the attacker to fully recover the secret, enabling them to upload modified classes to the target application and achieve remote code execution.
The Spring security advisory at https://spring.io/security/cve-2026-40972 recommends upgrading to the fixed versions listed above. Unsupported versions remain vulnerable with no patches available.
Details
- CWE(s)