CVE-2026-40977

Name of the Vulnerable Software and Affected Versions Spring Boot versions 4.0.0 through 4.0.5 Spring Boot versions 3.5.0 through 3.5.13 Spring Boot versions 3.4.0 through 3.4.15 Spring Boot versions 3.3.0 through 3.3.18 Spring Boot versions 2.7.0 through 2.7.32 Spring Boot versions prior to 2.7.0

Description When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. This issue relates to the symlink behavior of the ApplicationPidFileWriter component.

Recommendations Update to version 4.0.6 Update to version 3.5.14 Update to version 3.4.16 Update to version 3.3.19 Update to version 2.7.33 As a temporary workaround, restrict write access to the PID file's location or avoid using the ApplicationPidFileWriter component.