Spring Boot CVE-2026-40974

MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-28 [email protected]
Information Disclosure Java
5.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 28, 2026 - 00:30 vuln.today

DescriptionNVD

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.

Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14), 3.4.0-3.4.15 (fix 3.4.16), 3.3.0-3.3.18 (fix 3.3.19), 2.7.0-2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

AnalysisAI

Spring Boot's Cassandra auto-configuration fails to verify hostnames during SSL/TLS connection establishment to Cassandra servers, enabling man-in-the-middle attackers on the local network to intercept credentials and data by presenting a valid certificate for any domain. Affects Spring Boot 2.7.0-4.0.5; vendor-released patches available for all supported versions (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40974 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy