Timing Attack Vulnerability in Spring Boot by Pivotal Software
CVE-2026-40972

7.5HIGH

Key Information:

Vendor: Spring
Status: Spring Boot
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40972?

In Spring Boot, a timing attack allows an attacker on the same local network as the remote application to potentially discover sensitive remote secrets. If exploited, this could enable the attacker to leak the secret and upload altered classes, leading them to achieve remote code execution within the vulnerable application context. Affected versions prior to their respective patch releases contain this security flaw, emphasizing the importance of keeping applications up to date and secure.

Affected Version(s)

Spring Boot 4.0.0 < 4.0.6

Spring Boot 3.5.0 < 3.5.14

Spring Boot 3.4.0 < 3.4.16

References

https://spring.io/security/cve-2026-40972

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40972 Data

JSON