{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40972", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-27T23:15:19.194Z", "dateUpdated": "2026-04-29T03:55:44.263Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:15:19.194Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE", "cweId": "CWE-208"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability HIGH."}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "modules": ["spring-boot-devtools"], "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40972"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-40972"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T03:55:44.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-28T12:45:17.811043Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:45:23.300Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability HIGH."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "modules": ["spring-boot-devtools"], "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-40972"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "value": "<p>An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:15:19.194Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40972", "state": "PUBLISHED", "dateUpdated": "2026-04-29T03:55:44.263Z", "dateReserved": "2026-04-16T02:18:56.133Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-27T23:15:19.194Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B1C9BD7-7555-4B3D-AED9-60C3C13DCF46", "versionEndExcluding": "2.7.33", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "28EE6470-24FD-49D1-A2F0-7A19B290A161", "versionEndExcluding": "3.3.19", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "758A9E8F-0C52-43D9-8D84-69622B345A4E", "versionEndExcluding": "3.4.16", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "D23096A1-8269-46C5-9215-9098E87D0A24", "versionEndExcluding": "3.5.14", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441", "versionEndExcluding": "4.0.6", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory."}], "id": "CVE-2026-40972", "lastModified": "2026-04-30T14:26:30.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-28T00:16:24.210", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-40972"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison", "id": "2463332", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463332"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-208", "details": ["A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to remote code execution in the remote application."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable the Spring Boot DevTools remote functionality in production environments. This feature is primarily intended for development and should not be enabled in publicly accessible deployments.\nTo disable remote DevTools, ensure the `spring.devtools.remote.secret` property is not configured, or explicitly set `spring.devtools.remote.enabled=false` in your application's `application.properties` or `application.yml` file.\nExample for `application.properties`:\n`spring.devtools.remote.enabled=false`\nDisabling this feature may impact development workflows that rely on remote DevTools capabilities. A restart of the application is required for the changes to take effect."}, "name": "CVE-2026-40972", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat AMQ Clients"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-04-27T23:15:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40972\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40972\nhttps://spring.io/security/cve-2026-40972"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.0,2.7.33)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring Boot", "source": "cna", "vendor": "Spring"}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-28T12:46:10.187299+00:00", "value": {"mitigation_remediation": ["Upgrade to a Spring Boot version that includes the fix (4.0.6 or later, 3.5.14 or later, 3.4.16 or later, 3.3.19 or later, 2.7.33 or later).", "If an upgrade is not immediately possible, disable Spring Boot DevTools or its remote secret comparison feature to eliminate the vulnerable functionality.", "Limit network exposure of the application by ensuring that only trusted hosts or subnets can reach it, thereby preventing an attacker on the same network from carrying out the timing attack."], "summary": {"action": "Update Soon", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Spring Boot versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32 are affected. Fixes are available as 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33 respectively. Unsupported Spring Boot releases are also vulnerable according to the vendor advisory.", "description_and_impact": "This vulnerability is a timing attack that targets the remote secret comparison used by Spring Boot\u2019s DevTools. An attacker who can communicate with the same network as the target application may measure response times to deduce bits of the secret. Once the secret is fully compromised, the attacker can upload malicious classes to the application and gain remote code execution. The weakness is defined by CWE\u2011208, a timing side\u2011channel vulnerability, and the impact ranges from inadvertent information disclosure to full remote compromise.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. No EPSS data is currently available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local network attacker able to issue network requests to the remote application, leveraging timing differences to extract the secret. Successful exploitation would allow the attacker to upload arbitrary classes, achieving remote code execution on the host system."}}}}, "created": "2026-04-28T04:15:15.759124+00:00", "title": "Timing Attack on Spring Boot Remote Secret Comparison Enables Remote Code Execution", "updated": "2026-04-28T13:00:15.209747+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}