HIGH | APRIL 23, 2026 | CVE-2026-40973
A local attacker on the same host as the application may be able to take control of the
directory used by ApplicationTemp. When server.servlet.session.persistent is set to
true and the attack persists across application restarts, this may allow the…
MEDIUM | APRIL 23, 2026 | CVE-2026-40975
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is
not affected. ${random.int} and ${random.long} should never be used for secrets as they
are numeric values with a predictable range. Affected Spring Products…
MEDIUM | APRIL 23, 2026 | CVE-2026-40974
Spring Boot's Cassandra auto-configuration does not perform hostname verification when
establishing an SSL connection to Cassandra. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.13 3.4.0 - 3.4.15 3.3.0 - 3.3.18 2.7.…
CRITICAL | APRIL 23, 2026 | CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing
unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application have no Spring Security configuration of its…
MEDIUM | APRIL 23, 2026 | CVE-2026-40977
When an application is configured to use ApplicationPidFileWriter, a local attacker
with write access to the PID file's location can corrupt one file on the host each time
the application is started. Affected Spring Products and Versions Spring…
MEDIUM | APRIL 21, 2026 | CVE-2026-22751
Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.
An attacker with a valid one-time token can send concurrent requests to the…
CRITICAL | APRIL 21, 2026 | CVE-2026-22752
Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a…
LOW | APRIL 20, 2026 | CVE-2026-22746
If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled…
MEDIUM | APRIL 20, 2026 | CVE-2026-22747
SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating…
MEDIUM | APRIL 20, 2026 | CVE-2026-22748
When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This is easy to miss when using NimbusJwtDecoder…
