Skip to main content

Spring Boot CVE-2026-40972

HIGH
Observable Timing Discrepancy (CWE-208)
2026-04-27 vmware GHSA-56v8-86gj-66jp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 00:00 vuln.today
Analysis Generated
Apr 27, 2026 - 23:30 vuln.today
CVE Published
Apr 27, 2026 - 23:15 nvd
HIGH 7.5

DescriptionCVE.org

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.

Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14), 3.4.0-3.4.15 (fix 3.4.16), 3.3.0-3.3.18 (fix 3.3.19), 2.7.0-2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

AnalysisAI

Timing attack against Spring Boot DevTools remote secret comparison allows adjacent network attackers to recover the shared secret and achieve remote code execution by uploading malicious classes. Affects Spring Boot 2.7.x through 4.0.x when DevTools remote feature is enabled. Attacker must be on same network segment (AV:A) and overcome high attack complexity (timing-based cryptographic weakness), but requires no authentication or user interaction. CVSS 7.5 severity reflects adjacent vector limitation; real-world risk depends heavily on whether DevTools remote restart is enabled in production (not recommended practice) and network segmentation. No confirmed active exploitation (not in CISA KEV). Vendor-released patches available across all affected branches.

Technical ContextAI

Spring Boot DevTools provides a remote application restart feature for development convenience, allowing developers to push class file changes to running applications. This feature uses a shared secret for authentication. The vulnerability (CWE-208: Observable Timing Discrepancy) exists in the secret comparison logic during remote DevTools authentication. The implementation leaks information about the correct secret through measurable timing differences in the comparison operation, likely using a non-constant-time string/byte comparison instead of a cryptographically safe comparison function. An attacker can exploit these microsecond-level timing variations to iteratively guess each character of the secret, eventually recovering the full shared secret. Once the secret is compromised, the attacker can authenticate to the DevTools remote endpoint and upload arbitrary class files, which are then loaded into the running JVM, achieving full remote code execution with the privileges of the Spring Boot application process. The CPE string cpe:2.3:a:spring:spring_boot identifies the affected product across multiple major version branches spanning from legacy 2.7.x to current 4.0.x releases.

RemediationAI

Upgrade to patched Spring Boot versions: 2.7.33 for 2.x branch, 3.3.19 for 3.3.x, 3.4.16 for 3.4.x, 3.5.14 for 3.5.x, or 4.0.6 for 4.0.x as detailed in the official Spring security advisory at https://spring.io/security/cve-2026-40972 and HeroDevs advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-40972. If immediate patching is not feasible, disable Spring Boot DevTools remote restart functionality entirely by removing the spring.devtools.remote.secret property from application configuration and excluding the spring-boot-devtools dependency from production builds (standard best practice is to mark it as optional or use Maven profiles to exclude from production artifacts). For organizations requiring remote debugging capabilities in non-production environments, implement strict network segmentation to isolate development servers from untrusted networks, enforce VPN access with strong authentication, and rotate DevTools secrets frequently (though rotation alone does not fix the timing attack vulnerability). Note that disabling DevTools prevents the vulnerable code path from being reachable but verify exclusion through dependency analysis. Production deployments should never include spring-boot-devtools dependency; if found in production, treat as critical misconfiguration requiring immediate remediation beyond this CVE.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-40972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy