MEDIUM | APRIL 23, 2026 | CVE-2026-40975
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is
not affected. ${random.int} and ${random.long} should never be used for secrets as they
are numeric values with a predictable range. Affected Spring Products…
CRITICAL | APRIL 23, 2026 | CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing
unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application have no Spring Security configuration of its…
HIGH | APRIL 23, 2026 | CVE-2026-40972
An attacker on the same network as the remote application may be able to utilize a timing
attack to discover information about the remote secret. In extreme circumstances this
could result in the attacker determining the secret and uploading…
MEDIUM | APRIL 23, 2026 | CVE-2026-40977
When an application is configured to use ApplicationPidFileWriter, a local attacker
with write access to the PID file's location can corrupt one file on the host each time
the application is started. Affected Spring Products and Versions Spring…
MEDIUM | APRIL 23, 2026 | CVE-2026-40971
When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does
not perform hostname verification when connecting to the RabbitMQ broker. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.1…
MEDIUM | APRIL 21, 2026 | CVE-2026-22751
Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.
An attacker with a valid one-time token can send concurrent requests to the…
CRITICAL | APRIL 21, 2026 | CVE-2026-22752
Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a…
LOW | APRIL 20, 2026 | CVE-2026-22746
If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled…
MEDIUM | APRIL 20, 2026 | CVE-2026-22747
SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating…
MEDIUM | APRIL 20, 2026 | CVE-2026-22748
When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This is easy to miss when using NimbusJwtDecoder…
