Weak Random Number Generation in Spring Boot Compromises Application Secrets
CVE-2026-40975

4.8MEDIUM

Key Information:

Vendor: Spring
Status: Spring Boot
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40975?

In Spring Boot versions 4.0.0 to 4.0.5, 3.5.0 to 3.5.13, 3.4.0 to 3.4.15, 3.3.0 to 3.3.18, and 2.7.0 to 2.7.32, a serious vulnerability exists due to the use of weak pseudorandom number generators (PRNG). The values produced by the random.value property source are predictable and unsuitable for cryptographic use as secrets. This flaw can lead to potential exposure of sensitive information if attackers can reproduce these values. It is crucial to update your Spring Boot application to at least version 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 to mitigate this vulnerability effectively.

Affected Version(s)

Spring Boot 4.0.0 < 4.0.6

Spring Boot 3.5.0 < 3.5.14

Spring Boot 3.4.0 < 3.4.16

References

https://spring.io/security/cve-2026-40975

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40975 Data

JSON