SSL Configuration Flaw in Spring Boot Affects Cassandra Connections
CVE-2026-40974

5MEDIUM

Key Information:

Vendor: Spring
Status: Spring Boot
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40974?

A security issue in Spring Boot's Cassandra auto-configuration allows SSL connections to be established without proper hostname verification. This oversight can expose applications to man-in-the-middle attacks and other potential security risks as it fails to validate the identity of the Cassandra server. Affected Spring Boot versions require updates to resolve this vulnerability and ensure secure communications.

Affected Version(s)

Spring Boot 4.0.0 < 4.0.6

Spring Boot 3.5.0 < 3.5.14

Spring Boot 3.4.0 < 3.4.16

References

https://spring.io/security/cve-2026-40974

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40974 Data

JSON