Spring Boot CVE-2026-40972
HIGHSeverity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.
Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14), 3.4.0-3.4.15 (fix 3.4.16), 3.3.0-3.3.18 (fix 3.3.19), 2.7.0-2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
AnalysisAI
Timing attack against Spring Boot DevTools remote secret comparison allows adjacent network attackers to recover the shared secret and achieve remote code execution by uploading malicious classes. Affects Spring Boot 2.7.x through 4.0.x when DevTools remote feature is enabled. Attacker must be on same network segment (AV:A) and overcome high attack complexity (timing-based cryptographic weakness), but requires no authentication or user interaction. CVSS 7.5 severity reflects adjacent vector limitation; real-world risk depends heavily on whether DevTools remote restart is enabled in production (not recommended practice) and network segmentation. No confirmed active exploitation (not in CISA KEV). Vendor-released patches available across all affected branches.
Technical ContextAI
Spring Boot DevTools provides a remote application restart feature for development convenience, allowing developers to push class file changes to running applications. This feature uses a shared secret for authentication. The vulnerability (CWE-208: Observable Timing Discrepancy) exists in the secret comparison logic during remote DevTools authentication. The implementation leaks information about the correct secret through measurable timing differences in the comparison operation, likely using a non-constant-time string/byte comparison instead of a cryptographically safe comparison function. An attacker can exploit these microsecond-level timing variations to iteratively guess each character of the secret, eventually recovering the full shared secret. Once the secret is compromised, the attacker can authenticate to the DevTools remote endpoint and upload arbitrary class files, which are then loaded into the running JVM, achieving full remote code execution with the privileges of the Spring Boot application process. The CPE string cpe:2.3:a:spring:spring_boot identifies the affected product across multiple major version branches spanning from legacy 2.7.x to current 4.0.x releases.
RemediationAI
Upgrade to patched Spring Boot versions: 2.7.33 for 2.x branch, 3.3.19 for 3.3.x, 3.4.16 for 3.4.x, 3.5.14 for 3.5.x, or 4.0.6 for 4.0.x as detailed in the official Spring security advisory at https://spring.io/security/cve-2026-40972 and HeroDevs advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-40972. If immediate patching is not feasible, disable Spring Boot DevTools remote restart functionality entirely by removing the spring.devtools.remote.secret property from application configuration and excluding the spring-boot-devtools dependency from production builds (standard best practice is to mark it as optional or use Maven profiles to exclude from production artifacts). For organizations requiring remote debugging capabilities in non-production environments, implement strict network segmentation to isolate development servers from untrusted networks, enforce VPN access with strong authentication, and rotate DevTools secrets frequently (though rotation alone does not fix the timing attack vulnerability). Note that disabling DevTools prevents the vulnerable code path from being reachable but verify exclusion through dependency analysis. Production deployments should never include spring-boot-devtools dependency; if found in production, treat as critical misconfiguration requiring immediate remediation beyond this CVE.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-208 – Observable Timing Discrepancy
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-56v8-86gj-66jp