Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5btf-rv13-jucn
Vulnerability ID VCID-5btf-rv13-jucn
Aliases CVE-2026-40973
GHSA-wwpq-f5c3-7hvx
Summary A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-377 Insecure Temporary File
CWE-341 Predictable from Observable State
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40973.json
epss 9e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-40973
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wwpq-f5c3-7hvx
cvssv3.1 7.0 https://github.com/spring-projects/spring-boot
generic_textual HIGH https://github.com/spring-projects/spring-boot
cvssv3.1 7.0 https://nvd.nist.gov/vuln/detail/CVE-2026-40973
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-40973
cvssv3.1 7 https://spring.io/security/cve-2026-40973
cvssv3.1 7.0 https://spring.io/security/cve-2026-40973
generic_textual HIGH https://spring.io/security/cve-2026-40973
ssvc Track https://spring.io/security/cve-2026-40973
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40973.json
https://api.first.org/data/v1/epss?cve=CVE-2026-40973
https://github.com/spring-projects/spring-boot
https://nvd.nist.gov/vuln/detail/CVE-2026-40973
2463330 https://bugzilla.redhat.com/show_bug.cgi?id=2463330
cve-2026-40973 https://spring.io/security/cve-2026-40973
GHSA-wwpq-f5c3-7hvx https://github.com/advisories/GHSA-wwpq-f5c3-7hvx
RHSA-2026:17668 https://access.redhat.com/errata/RHSA-2026:17668
RHSA-2026:21772 https://access.redhat.com/errata/RHSA-2026:21772
RHSA-2026:25089 https://access.redhat.com/errata/RHSA-2026:25089
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40973.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-boot
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40973
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://spring.io/security/cve-2026-40973
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://spring.io/security/cve-2026-40973
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-28T12:42:23Z/ Found at https://spring.io/security/cve-2026-40973
Exploit Prediction Scoring System (EPSS)
Percentile 0.0089
EPSS Score 9e-05
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:53:12.447973+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/40xxx/CVE-2026-40973.json 38.6.0