Skip to main content

Spring Boot CVE-2026-40975

HIGH
Use of Insufficiently Random Values (CWE-330)
2026-04-28 security@vmware.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Confidentiality-only impact with no patch-side privilege need, but AC:H because exploitation depends on the app using these placeholders for secrets and on predicting a weak PRNG.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
8.2 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 04:31 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:31 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
4.8 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Apr 28, 2026 - 00:32 vuln.today
Analysis Generated
Apr 28, 2026 - 00:22 vuln.today
CVE Published
Apr 28, 2026 - 00:16 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 maven packages depend on org.springframework.boot:spring-boot-cassandra (5 direct, 11 indirect)

Ecosystem-wide dependent count for version 4.0.0.

DescriptionNVD

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.

Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14), 3.4.0-3.4.15 (fix 3.4.16), 3.3.0-3.3.18 (fix 3.3.19), 2.7.0-2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

AnalysisAI

{random.value} property placeholder are generated with a non-cryptographic pseudo-random number generator, making them unsuitable for use as secrets such as passwords, tokens, or keys. The numeric ${random.int} and ${random.long} placeholders are even weaker, drawing from a small predictable range, while ${random.uuid}` is explicitly unaffected. There is no public exploit identified at time of analysis (SSVC exploitation: none; EPSS 0.03%), so the practical risk depends entirely on whether a given deployment actually used these placeholders to seed real secrets.

Technical ContextAI

Spring Boot's RandomValuePropertySource resolves ${random.*} placeholders in application.properties/application.yml and is backed by java.util.Random, a linear congruential generator that is statistically predictable and not seeded with cryptographic entropy. This is a textbook CWE-330 (Use of Insufficiently Random Values) issue: the root cause is the misuse of a general-purpose PRNG where a CSPRNG (e.g., java.security.SecureRandom) is required. The affected CPE is cpe:2.3:a:vmware:spring_boot across the listed version ranges. ${random.int} and ${random.long} compound the weakness by returning numeric values within a bounded, guessable range; ${random.uuid} is unaffected because it is generated from a cryptographically strong source. The vendor's fix hardens or warns against using these sources for secret material rather than changing application code that already depends on them.

RemediationAI

Vendor-released patches are available: upgrade to Spring Boot 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 as appropriate for your branch, per the Spring advisory at https://spring.io/security/cve-2026-40975; Red Hat users should apply the corresponding errata (e.g., RHSA-2026:17668 at https://access.redhat.com/errata/RHSA-2026:17668). Because the core problem is misuse of weak randomness for secrets, patching alone is not sufficient - audit your configuration for any ${random.value}, ${random.int}, or ${random.long} placeholders used to produce passwords, API keys, tokens, or other secret material and replace those generated values with cryptographically strong secrets from a vault or SecureRandom, rotating any secret previously created this way since it may already be predictable. ${random.uuid} does not need remediation. If immediate upgrade is not possible, the effective compensating control is to stop using these placeholders for secrets and regenerate affected secrets out-of-band; there is no network-level mitigation since the weakness is in the generated value, not a reachable service endpoint.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-40975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy