CVE-2026-40975

Medium

Published: 28 April 2026

Published

28 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.0005 14.4th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40975 is a medium-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Vmware Spring Boot. Its CVSS base score is 4.8 (Medium).

Operationally, ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly mandates timely patching of the weak PRNG flaw in affected Spring Boot versions as recommended by the vendor advisory.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables detection of vulnerable Spring Boot deployments through regular vulnerability scanning for this specific CVE.

SA-22 Unsupported System Components partial match

prevent

Prohibits use of unsupported Spring Boot versions that remain vulnerable per the vendor guidance.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13…

(fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

Deeper analysisAI

Spring Boot's random value property source employs a weak pseudo-random number generator (PRNG), rendering values from ${random.value} unsuitable for secrets; ${random.uuid} remains unaffected, while ${random.int} and ${random.long} are inherently unsuitable due to predictable numeric ranges. Affected versions span Spring Boot 4.0.0–4.0.5 (fixed in 4.0.6), 3.5.0–3.5.13 (fixed in 3.5.14), 3.4.0–3.4.15 (fixed in 3.4.16), 3.3.0–3.3.18 (fixed in 3.3.19), and 2.7.0–2.7.32 (fixed in 2.7.33); unsupported versions are also vulnerable per vendor guidance. Classified as CWE-330 with CVSS 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N), CVE-2026-40975 was published on 2026-04-28.

Remote attackers without privileges can exploit this over the network, though it demands high complexity and no user interaction. Successful attacks yield limited confidentiality loss (e.g., partial secret exposure) or integrity impacts on a single instance, with no availability effects.

The official advisory at https://spring.io/security/cve-2026-40975 urges upgrading to patched versions; no other mitigations are detailed, and end-of-life releases stay exposed.

Details

CWE(s): CWE-330

Affected Products

vmware

spring boot

≤ 2.7.33 · 3.3.0 — 3.3.19 · 3.4.0 — 3.4.16

CVEs Like This One

CVE-2026-22731Same product: Vmware Spring Boot

CVE-2026-22733Same product: Vmware Spring Boot

CVE-2026-40976Same product: Vmware Spring Boot

CVE-2026-40972Same product: Vmware Spring Boot

CVE-2026-40968Same vendor: Vmware

CVE-2025-22218Same vendor: Vmware

CVE-2025-22225Same vendor: Vmware

CVE-2025-22226Same vendor: Vmware

CVE-2026-22719Same vendor: Vmware

CVE-2025-22219Same vendor: Vmware

References

https://spring.io/security/cve-2026-40975
Vendor Advisory · security@vmware.com