Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Adjacent network MitM required (AV:A/AC:H); no privileges needed; confidentiality and integrity at risk but availability impact unsupported by the interception-only threat model.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected.
Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
AnalysisAI
Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to man-in-the-middle interception of outbound email traffic on adjacent network segments. Three active release lines are affected - 3.4.x through 3.4.16, 3.5.x through 3.5.14, and 4.0.x through 4.0.6 - unless the deploying application has explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to override the insecure default. No public exploit has been identified at time of analysis, but the flaw is present by default in any Spring Boot application that uses the built-in Mail auto-configuration with TLS/SSL and has not applied the corrective property.
Technical ContextAI
Spring Boot's auto-configuration layer (org.springframework.boot.autoconfigure.mail) provisions JavaMail Session beans without enabling the smtp.ssl.checkserveridentity property, which is the JavaMail mechanism that instructs the JSSE layer to validate that the server certificate's subject name matches the target hostname. CWE-295 (Improper Certificate Validation) is the root cause class: the TLS handshake succeeds and the certificate chain may be valid, but without hostname binding an attacker can present any certificate from a trusted CA for an unrelated domain. The affected CPE is cpe:2.3:a:spring:spring_boot:*:*:*:*:*:*:*:*, covering the Spring Boot artifact as distributed by VMware (Broadcom). The vulnerability surfaces only on SMTP connections that traverse a TLS session; plaintext SMTP (port 25 without STARTTLS or SSL) is unaffected by this control but carries its own risks.
RemediationAI
The immediate workaround - which is also fully protective - is to add spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to application.properties or application.yml in all affected deployments; this explicitly re-enables hostname verification and is noted by the vendor as sufficient to prevent exploitation with no functional side effects on compliant mail servers. For a permanent fix, upgrade to a patched Spring Boot release; exact fixed versions are not confirmed in the provided input data and must be obtained from the vendor advisory at https://spring.io/security/cve-2026-40992 before applying. Organizations that cannot upgrade or add the property immediately should restrict outbound SMTP to trusted relay hosts via network egress controls, reducing the opportunity for network-level MitM, though this does not eliminate the underlying misconfiguration.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36203
GHSA-9wxp-w4px-32vh