CVE-2026-40975

Name of the Vulnerable Software and Affected Versions Spring Boot versions 4.0.0 through 4.0.5 Spring Boot versions 3.5.0 through 3.5.13 Spring Boot versions 3.4.0 through 3.4.16 Spring Boot versions 3.3.0 through 3.3.18 Spring Boot versions 2.7.0 through 2.7.32 Spring Boot versions prior to 2.7.0

Description Weak Pseudo-Random Number Generation (PRNG) occurs when values produced by ${random.value} are used as secrets. Specifically, ${random.int} and ${random.long} are unsuitable for secrets because they are numeric values with a predictable range. PRNG is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers.

Recommendations Update to version 4.0.6 Update to version 3.5.14 Update to version 3.4.16 Update to version 3.3.19 Update to version 2.7.33 Avoid using ${random.int} and ${random.long} for secrets.