Skip to main content

Spring Boot CVE-2026-40973

HIGH
Insecure Temporary File (CWE-377)
2026-04-28 security@vmware.com GHSA-wwpq-f5c3-7hvx
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 20:23 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 00:30 vuln.today
Analysis Generated
Apr 28, 2026 - 00:22 vuln.today
CVE Published
Apr 28, 2026 - 00:16 nvd
HIGH 7.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,921 maven packages depend on org.springframework.boot:spring-boot (120 direct, 1,801 indirect)

Ecosystem-wide dependent count for version 4.0.0.

DescriptionCVE.org

A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.

Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14), 3.4.0-3.4.15 (fix 3.4.16), 3.3.0-3.3.18 (fix 3.3.19), 2.7.0-2.7.32 (fix 2.7.33); predictable temp directory / ApplicationTemp ownership verification. Versions that are no longer supported are also affected per vendor advisory.

AnalysisAI

Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.

Technical ContextAI

Spring Boot's ApplicationTemp directory is used for temporary file operations and session persistence when server.servlet.session.persistent is configured. The vulnerability stems from CWE-377 (Insecure Temporary File), indicating predictable directory paths and inadequate ownership verification. A local attacker can exploit race conditions or predictable naming patterns to substitute the ApplicationTemp directory with their own controlled location. When persistent sessions are enabled, Spring Boot serializes session objects to this directory across application restarts. By controlling this directory, an attacker can inject malicious serialized objects (gadget chain attacks in Java deserialization contexts) or read existing session files containing authentication tokens, session IDs, and user state. The attack requires low privileges (PR:L) but high attack complexity (AC:H), suggesting timing dependencies or specific system conditions must align. The vulnerability spans multiple Spring Boot major versions from 2.7.x through 4.0.x, indicating a long-standing architectural issue in temporary directory handling.

RemediationAI

Upgrade to patched Spring Boot versions immediately: 4.0.6 or later for 4.0.x branch, 3.5.14 or later for 3.5.x, 3.4.16 or later for 3.4.x, 3.3.19 or later for 3.3.x, or 2.7.33 or later for 2.7.x deployments. Download patches and review complete upgrade guidance at https://spring.io/security/cve-2026-40973. For systems that cannot immediately upgrade, disable persistent sessions by setting server.servlet.session.persistent to false in application.properties or application.yml, which eliminates the attack vector but will cause session loss across application restarts, affecting user experience in maintenance scenarios. As an additional defense layer, restrict local user access to application servers through operating system access controls, implement mandatory access control (MAC) policies like SELinux or AppArmor to confine the Spring Boot process and prevent directory manipulation by other local users, and monitor ApplicationTemp directory ownership and permissions for unexpected changes through file integrity monitoring tools. Organizations running unsupported Spring Boot versions must prioritize migration to supported branches or accept residual risk with compensating controls, as no vendor patches will be provided.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-40973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy