Spring Boot CVE-2026-40973
HIGHSeverity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1,921 maven packages depend on org.springframework.boot:spring-boot (120 direct, 1,801 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionCVE.org
A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14), 3.4.0-3.4.15 (fix 3.4.16), 3.3.0-3.3.18 (fix 3.3.19), 2.7.0-2.7.32 (fix 2.7.33); predictable temp directory / ApplicationTemp ownership verification. Versions that are no longer supported are also affected per vendor advisory.
AnalysisAI
Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.
Technical ContextAI
Spring Boot's ApplicationTemp directory is used for temporary file operations and session persistence when server.servlet.session.persistent is configured. The vulnerability stems from CWE-377 (Insecure Temporary File), indicating predictable directory paths and inadequate ownership verification. A local attacker can exploit race conditions or predictable naming patterns to substitute the ApplicationTemp directory with their own controlled location. When persistent sessions are enabled, Spring Boot serializes session objects to this directory across application restarts. By controlling this directory, an attacker can inject malicious serialized objects (gadget chain attacks in Java deserialization contexts) or read existing session files containing authentication tokens, session IDs, and user state. The attack requires low privileges (PR:L) but high attack complexity (AC:H), suggesting timing dependencies or specific system conditions must align. The vulnerability spans multiple Spring Boot major versions from 2.7.x through 4.0.x, indicating a long-standing architectural issue in temporary directory handling.
RemediationAI
Upgrade to patched Spring Boot versions immediately: 4.0.6 or later for 4.0.x branch, 3.5.14 or later for 3.5.x, 3.4.16 or later for 3.4.x, 3.3.19 or later for 3.3.x, or 2.7.33 or later for 2.7.x deployments. Download patches and review complete upgrade guidance at https://spring.io/security/cve-2026-40973. For systems that cannot immediately upgrade, disable persistent sessions by setting server.servlet.session.persistent to false in application.properties or application.yml, which eliminates the attack vector but will cause session loss across application restarts, affecting user experience in maintenance scenarios. As an additional defense layer, restrict local user access to application servers through operating system access controls, implement mandatory access control (MAC) policies like SELinux or AppArmor to confine the Spring Boot process and prevent directory manipulation by other local users, and monitor ApplicationTemp directory ownership and permissions for unexpected changes through file integrity monitoring tools. Organizations running unsupported Spring Boot versions must prioritize migration to supported branches or accept residual risk with compensating controls, as no vendor patches will be provided.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-377 – Insecure Temporary File
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-wwpq-f5c3-7hvx