Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Multiple vulnerabilities in Spring Boot. Patch Immediately!
Image
Gepubliceerd : 28/04/2026
- Last update: 28/04/2026
- Affected software:
→ Spring Boot <4.0.6
→ Spring Boot <3.5.14
→ Spring Boot <3.4.16
→ Spring Boot <3.3.19
→ Spring Boot <2.7.33- Type:
→ Authentication Bypass
→ Session Hijack
→ Timing Attack- CVE/CVSS
→ CVE-2026-40976: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
→ CVE-2026-40973: CVSS 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-40972: CVSS 7.5 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://spring.io/security/cve-2026-40976
https://spring.io/security/cve-2026-40973
https://spring.io/security/cve-2026-40972
Risks
A newly discovered set of vulnerabilities in Spring Boot may allow attackers to bypass authorization, hijack sessions, or even achieve remote code execution under certain conditions.
Spring Boot is a widely used Java framework that helps organizations build and run web applications, APIs, and backend services that support business systems, customer platforms, and internal operations.
If exploited this could lead to data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.
Description
A critical security vulnerability, CVE-2026-40976, has been identified in Spring Boot versions 4.0.0 through 4.0.5. This flaw occurs when the default web security configuration fails to enforce authorization, which can allow unauthorized access to all application endpoints in certain servlet-based deployments.
In vulnerable applications, exploitation is possible when the app is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health.
Two related Spring Boot flaws have also been disclosed: CVE-2026-40973, which may let a local attacker hijack sessions or potentially execute code by taking control of the ApplicationTemp directory, and CVE-2026-40972, which may let an attacker on the same network use a timing attack against the DevTools remote secret and, in extreme cases, achieve remote code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://spring.io/security/cve-2026-40976
https://spring.io/security/cve-2026-40973
https://spring.io/security/cve-2026-40972