VulnerableCode Package Details - pkg:maven/org.springframework.boot/spring-boot@4.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-5btf-rv13-jucn Aliases: CVE-2026-40973 GHSA-wwpq-f5c3-7hvx	A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.	4.0.6 Affected by 0 other vulnerabilities.
VCID-w8ap-9xym-xfg4 Aliases: CVE-2026-40976 GHSA-8v8j-3hxp-93wr	In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.	4.0.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5btf-rv13-jucn
Aliases:
CVE-2026-40973
GHSA-wwpq-f5c3-7hvx

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.

4.0.6
Affected by 0 other vulnerabilities.

VCID-w8ap-9xym-xfg4
Aliases:
CVE-2026-40976
GHSA-8v8j-3hxp-93wr

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

4.0.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:29:39.938580+00:00	GHSA Importer	Affected by	VCID-5btf-rv13-jucn	https://github.com/advisories/GHSA-wwpq-f5c3-7hvx	38.6.0
2026-06-13T06:29:39.503031+00:00	GHSA Importer	Affected by	VCID-w8ap-9xym-xfg4	https://github.com/advisories/GHSA-8v8j-3hxp-93wr	38.6.0
2026-06-12T22:14:22.748612+00:00	GitLab Importer	Affected by	VCID-5btf-rv13-jucn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2026-40973.yml	38.6.0
2026-06-12T22:14:14.884674+00:00	GitLab Importer	Affected by	VCID-w8ap-9xym-xfg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2026-40976.yml	38.6.0