Local File Corruption Risk in Spring Boot Versions from Pivotal
CVE-2026-40977

4.7MEDIUM

Key Information:

Vendor: Spring
Status: Spring Boot
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40977?

A vulnerability exists in Spring Boot that allows a local attacker with write access to the location of the PID file to corrupt a specific file every time the application is started. This issue arises when the ApplicationPidFileWriter is configured improperly. All affected versions must be updated to the latest fixes to mitigate potential risks.

Affected Version(s)

Spring Boot 4.0.0 < 4.0.6

Spring Boot 3.5.0 < 3.5.14

Spring Boot 3.4.0 < 3.4.16

References

https://spring.io/security/cve-2026-40977

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40977 Data

JSON