Skip to main content

Spring Boot

12 CVEs product

Monthly

CVE-2026-41001 MEDIUM PATCH This Month

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40992 MEDIUM PATCH This Month

Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to man-in-the-middle interception of outbound email traffic on adjacent network segments. Three active release lines are affected - 3.4.x through 3.4.16, 3.5.x through 3.5.14, and 4.0.x through 4.0.6 - unless the deploying application has explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to override the insecure default. No public exploit has been identified at time of analysis, but the flaw is present by default in any Spring Boot application that uses the built-in Mail auto-configuration with TLS/SSL and has not applied the corrective property.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-40976 Maven CRITICAL PATCH GHSA Act Now

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

Java Authentication Bypass Spring Boot
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40975 Maven HIGH PATCH This Week

{random.value}` property placeholder are generated with a non-cryptographic pseudo-random number generator, making them unsuitable for use as secrets such as passwords, tokens, or keys. The numeric `${random.int}` and `${random.long}` placeholders are even weaker, drawing from a small predictable range, while `${random.uuid}` is explicitly unaffected. There is no public exploit identified at time of analysis (SSVC exploitation: none; EPSS 0.03%), so the practical risk depends entirely on whether a given deployment actually used these placeholders to seed real secrets.

Information Disclosure Java Spring Boot
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2023-34055 Maven MEDIUM PATCH This Month

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Spring Boot
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2023-20883 Maven HIGH PATCH This Week

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Spring Boot
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-20873 Maven CRITICAL PATCH Act Now

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Spring Boot
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-22602 Maven HIGH PATCH This Week

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Authentication Bypass Shiro Spring Boot
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-27772 Maven HIGH POC PATCH This Week

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Java Information Disclosure Spring Boot
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2021-26987 CRITICAL Act Now

Element Plug-in for vCenter Server incorporates SpringBoot Framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE VMware Spring Boot Element Plug In For Vcenter Server Management Services For Element Software And Netapp Hci +1
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2018-1196 Maven MEDIUM PATCH This Month

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Information Disclosure Spring Boot
NVD
CVSS 3.0
5.9
EPSS
1.2%
CVE-2017-8046 Maven CRITICAL POC PATCH THREAT Act Now

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 72.8%.

RCE Java Spring Boot Spring Data Rest
NVD Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
72.8%
Threat
5.6
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to man-in-the-middle interception of outbound email traffic on adjacent network segments. Three active release lines are affected - 3.4.x through 3.4.16, 3.5.x through 3.5.14, and 4.0.x through 4.0.6 - unless the deploying application has explicitly set the JavaMail property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true to override the insecure default. No public exploit has been identified at time of analysis, but the flaw is present by default in any Spring Boot application that uses the built-in Mail auto-configuration with TLS/SSL and has not applied the corrective property.

Java Information Disclosure Spring Boot
NVD VulDB HeroDevs
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

Java Authentication Bypass Spring Boot
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

{random.value}` property placeholder are generated with a non-cryptographic pseudo-random number generator, making them unsuitable for use as secrets such as passwords, tokens, or keys. The numeric `${random.int}` and `${random.long}` placeholders are even weaker, drawing from a small predictable range, while `${random.uuid}` is explicitly unaffected. There is no public exploit identified at time of analysis (SSVC exploitation: none; EPSS 0.03%), so the practical risk depends entirely on whether a given deployment actually used these placeholders to seed real secrets.

Information Disclosure Java Spring Boot
NVD HeroDevs VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Spring Boot
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Spring Boot
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Spring Boot
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Authentication Bypass +2
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Java Information Disclosure Spring Boot
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Element Plug-in for vCenter Server incorporates SpringBoot Framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE VMware Spring Boot +3
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Information Disclosure Spring Boot
NVD
EPSS 73% 5.6 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 72.8%.

RCE Java Spring Boot +1
NVD Exploit-DB VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy