Spring boot

This hub aggregates every CVE we track for Spring boot, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Spring boot.

• CVE-2026-41001Predictable Temp Directory in Artemis Auto-configuration5.3Jun 11, 2026
• CVE-2026-40992Mail Auto-Configuration Does Not Enable SSL Hostname Verification5.0Jun 11, 2026
• CVE-2026-40977When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is star...4.7Apr 27, 2026
• CVE-2026-40976In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web appli...9.1Apr 27, 2026
• CVE-2026-40975Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values ...4.8Apr 27, 2026
• CVE-2026-40974Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 ...5.0Apr 27, 2026
• CVE-2026-40973A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack...7.0Apr 27, 2026
• CVE-2026-40972An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the a...7.5Apr 27, 2026
• CVE-2026-40971When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0–4.0.5 (...5.0Apr 27, 2026
• CVE-2026-40970When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0...5.0Apr 27, 2026
• CVE-2026-22733Authentication Bypass under Actuator CloudFoundry endpoints8.2Mar 19, 2026
• CVE-2026-22731Authentication Bypass under Actuator Health groups paths8.2Mar 19, 2026
• CVE-2025-22235Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed7.3Apr 28, 2025
• CVE-2024-38807CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader6.3Aug 23, 2024
• CVE-2024-22233CVE-2024-22233: Spring Framework server Web DoS Vulnerability7.5Jan 22, 2024