CVE-2026-40973

HIGH 7.0

CVSS Score

7.0

EPSS Score

0.0%

EPSS Percentile

0th

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.

CWE	CWE-377
Vendor	spring
Product	spring boot
Ecosystems	Java Spring
Industries	TechnologyEnterprise
Published	Apr 27, 2026

Stay Ahead of the Next One

Get instant alerts for spring spring boot

Be the first to know when new high vulnerabilities affecting spring spring boot are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Spring / Spring Boot

4.0.0 < 4.0.6 3.5.0 < 3.5.14 3.4.0 < 3.4.16 3.3.0 < 3.3.19 2.7.0 < 2.7.33

References

NVD ↗ CVE.org ↗ EPSS Data ↗

spring.io: https://spring.io/security/cve-2026-40973