Cyber Resilience

CVE-2026-40975

MediumUpdated

Published: 28 April 2026

Published
28 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0031 23.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40975 is a medium-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Vmware Spring Boot. Its CVSS base score is 4.8 (Medium).

Operationally, ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

Spring Boot's random value property source employs a weak pseudo-random number generator (PRNG), rendering values from ${random.value} unsuitable for secrets; ${random.uuid} remains unaffected, while ${random.int} and ${random.long} are inherently unsuitable due to predictable numeric ranges. Affected versions span Spring Boot 4.0.0–4.0.5 (fixed in 4.0.6), 3.5.0–3.5.13 (fixed in 3.5.14), 3.4.0–3.4.15 (fixed in 3.4.16), 3.3.0–3.3.18 (fixed in 3.3.19), and 2.7.0–2.7.32 (fixed in 2.7.33); unsupported versions are also vulnerable per vendor guidance. Classified as CWE-330 with CVSS 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N), CVE-2026-40975 was published on 2026-04-28.

Remote attackers without privileges can exploit this over the network, though it demands high complexity and no user interaction. Successful attacks yield limited confidentiality loss (e.g., partial secret exposure) or integrity impacts on a single instance, with no availability effects.

The official advisory at https://spring.io/security/cve-2026-40975 urges upgrading to patched versions; no other mitigations are detailed, and end-of-life releases stay exposed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13…

more

(fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22733Same product: Vmware Spring Boot
CVE-2026-22731Same product: Vmware Spring Boot
CVE-2026-40972Same product: Vmware Spring Boot
CVE-2026-40976Same product: Vmware Spring Boot
CVE-2026-22720Same vendor: Vmware
CVE-2026-22747Same vendor: Vmware
CVE-2025-22219Same vendor: Vmware
CVE-2026-40968Same vendor: Vmware
CVE-2026-41702Same vendor: Vmware
CVE-2026-41713Same vendor: Vmware

Affected Assets

vmware
spring boot
≤ 2.7.33 · 3.3.0 — 3.3.19 · 3.4.0 — 3.4.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mandates timely patching of the weak PRNG flaw in affected Spring Boot versions as recommended by the vendor advisory.

detect

Enables detection of vulnerable Spring Boot deployments through regular vulnerability scanning for this specific CVE.

prevent

Prohibits use of unsupported Spring Boot versions that remain vulnerable per the vendor guidance.

References