Cyber Resilience

CVE-2026-40976

CriticalUpdated

Published: 28 April 2026

Published
28 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0049 38.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40976 is a critical-severity Missing Authorization (CWE-862) vulnerability in Vmware Spring Boot. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40976 affects Spring Boot versions 4.0.0 through 4.0.5, where the default web security becomes ineffective under specific conditions, allowing unauthorized access to all endpoints. Vulnerable applications must be servlet-based web applications that have no custom Spring Security configuration, rely solely on the default web security filter chain, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health. If any of these conditions are not met, the application is not vulnerable. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation grants unauthorized access to all application endpoints, enabling attackers to read sensitive data, modify application state, or perform other privileged actions depending on the exposed functionality.

The Spring vendor advisory at https://spring.io/security/cve-2026-40976 recommends upgrading to Spring Boot 4.0.6 or later as the primary mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on…

more

the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote unauthenticated access vulnerability in a public-facing Spring Boot web application due to ineffective default security, directly enabling exploitation of public-facing applications (T1190) for initial access to endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40972Same product: Vmware Spring Boot
CVE-2026-22731Same product: Vmware Spring Boot
CVE-2026-22733Same product: Vmware Spring Boot
CVE-2026-40975Same product: Vmware Spring Boot
CVE-2026-22747Same vendor: Vmware
CVE-2026-22753Same vendor: Vmware
CVE-2026-22719Same vendor: Vmware
CVE-2026-41002Same vendor: Vmware
CVE-2026-22750Same vendor: Vmware
CVE-2026-22754Same vendor: Vmware

Affected Assets

vmware
spring boot
4.0.0 — 4.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring identification, reporting, and correction of the Spring Boot flaw via timely upgrades to version 4.0.6 or later.

prevent

Enforces approved authorizations for logical access to endpoints, directly countering the missing authorization that allows unauthorized access in vulnerable Spring Boot configurations.

prevent

Establishes and enforces secure configuration settings to avoid reliance on the vulnerable default web security filter chain without custom Spring Security.

References