PT-2026-35540 · Vmware · Spring Boot
Published
2026-04-27
·
Updated
2026-06-03
·
CVE-2026-40972
CVSS v3.1
7.5
High
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spring Boot versions 4.0.0 through 4.0.5
Spring Boot versions 3.5.0 through 3.5.13
Spring Boot versions 3.4.0 through 3.4.15
Spring Boot versions 3.3.0 through 3.3.18
Spring Boot versions 2.7.0 through 2.7.32
Spring Boot versions prior to 2.7.0
Description
An attacker on the same network as the remote application can use a timing attack—a method of discovering secrets by analyzing the time a system takes to respond to different inputs—to obtain information about the remote secret during DevTools remote secret comparison. In extreme cases, this could allow the attacker to determine the secret and upload modified classes, leading to remote code execution.
Recommendations
Update to version 4.0.6
Update to version 3.5.14
Update to version 3.4.16
Update to version 3.3.19
Update to version 2.7.33
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Boot