MEDIUM | APRIL 23, 2026 | CVE-2026-40970
Description When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does
not perform hostname verification when connecting to the Elasticsearch server. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 Mitigation…
HIGH | APRIL 23, 2026 | CVE-2026-40972
Description An attacker on the same network as the remote application may be able to utilize a timing
attack to discover information about the remote secret. In extreme circumstances this
could result in the attacker determining the secret and uploading…
MEDIUM | APRIL 23, 2026 | CVE-2026-40975
Description Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is
not affected. ${random.int} and ${random.long} should never be used for secrets as they
are numeric values with a predictable range. Affected Spring Products…
MEDIUM | APRIL 23, 2026 | CVE-2026-40977
Description When an application is configured to use ApplicationPidFileWriter, a local attacker
with write access to the PID file's location can corrupt one file on the host each time
the application is started. Affected Spring Products and Versions Spring…
CRITICAL | APRIL 23, 2026 | CVE-2026-40976
Description In certain circumstances, Spring Boot's default web security is ineffective allowing
unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application have no Spring Security configuration of its…
MEDIUM | APRIL 21, 2026 | CVE-2026-22751
Description Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.
An attacker with a valid one-time token can send concurrent requests to the…
CRITICAL | APRIL 21, 2026 | CVE-2026-22752
Description Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a…
LOW | APRIL 20, 2026 | CVE-2026-22746
Description If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled…
MEDIUM | APRIL 20, 2026 | CVE-2026-22748
Description When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This is easy to miss when using NimbusJwtDecoder…
HIGH | APRIL 20, 2026 | CVE-2026-22754
Description If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised…
