HIGH | APRIL 27, 2026 | CVE-2026-40978
Description SQL injection vulnerability in Spring AI's CosmosDBVectorStore allows attackers to execute arbitrary SQL queries via crafted document IDs. Only applications that use CosmosDBVectorStore and pass user-supplied input as document ids are affected…
MODERATE | APRIL 27, 2026 | CVE-2026-40979
Description In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Only applications that use TransformersEmbeddingModel and have the cache enabled, using the default location, are affected. Affected Spring…
MODERATE | APRIL 27, 2026 | CVE-2026-40980
Description In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by ForkPDFLayoutTextStripper. Only applications that use ForkPDFLayoutTextStripper and pass user-supplied input to…
MEDIUM | APRIL 23, 2026 | CVE-2026-40970
Description When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does
not perform hostname verification when connecting to the Elasticsearch server. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 Mitigation…
MEDIUM | APRIL 23, 2026 | CVE-2026-40971
Description When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does
not perform hostname verification when connecting to the RabbitMQ broker. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.1…
HIGH | APRIL 23, 2026 | CVE-2026-40972
Description An attacker on the same network as the remote application may be able to utilize a timing
attack to discover information about the remote secret. In extreme circumstances this
could result in the attacker determining the secret and uploading…
HIGH | APRIL 23, 2026 | CVE-2026-40973
Description A local attacker on the same host as the application may be able to take control of the
directory used by ApplicationTemp. When server.servlet.session.persistent is set to
true and the attack persists across application restarts, this may allow the…
MEDIUM | APRIL 23, 2026 | CVE-2026-40975
Description Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is
not affected. ${random.int} and ${random.long} should never be used for secrets as they
are numeric values with a predictable range. Affected Spring Products…
CRITICAL | APRIL 23, 2026 | CVE-2026-40976
Description In certain circumstances, Spring Boot's default web security is ineffective allowing
unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application have no Spring Security configuration of its…
MEDIUM | APRIL 23, 2026 | CVE-2026-40974
Description Spring Boot's Cassandra auto-configuration does not perform hostname verification when
establishing an SSL connection to Cassandra. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.13 3.4.0 - 3.4.15 3.3.0 - 3.3.18 2.7.…
