CVE-2026-40976
Published: 28 April 2026
Summary
CVE-2026-40976 is a critical-severity Missing Authorization (CWE-862) vulnerability in Vmware Spring Boot. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and correction of the Spring Boot flaw via timely upgrades to version 4.0.6 or later.
Enforces approved authorizations for logical access to endpoints, directly countering the missing authorization that allows unauthorized access in vulnerable Spring Boot configurations.
Establishes and enforces secure configuration settings to avoid reliance on the vulnerable default web security filter chain without custom Spring Security.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated access vulnerability in a public-facing Spring Boot web application due to ineffective default security, directly enabling exploitation of public-facing applications (T1190) for initial access to endpoints.
NVD Description
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on…
more
the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Deeper analysisAI
CVE-2026-40976 affects Spring Boot versions 4.0.0 through 4.0.5, where the default web security becomes ineffective under specific conditions, allowing unauthorized access to all endpoints. Vulnerable applications must be servlet-based web applications that have no custom Spring Security configuration, rely solely on the default web security filter chain, depend on spring-boot-actuator-autoconfigure, and do not depend on spring-boot-health. If any of these conditions are not met, the application is not vulnerable. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.
Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. Exploitation grants unauthorized access to all application endpoints, enabling attackers to read sensitive data, modify application state, or perform other privileged actions depending on the exposed functionality.
The Spring vendor advisory at https://spring.io/security/cve-2026-40976 recommends upgrading to Spring Boot 4.0.6 or later as the primary mitigation.
Details
- CWE(s)