CVE-2026-40973
Description
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-40973",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security@vmware.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 7,
"attackVector": "LOCAL",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "HIGH",
"availabilityImpact": "HIGH",
"privilegesRequired": "LOW",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 1
}
]
},
"published": "2026-04-28T00:16:24.357",
"references": [
{
"url": "https://spring.io/security/cve-2026-40973",
"tags": [
"Vendor Advisory"
],
"source": "security@vmware.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security@vmware.com",
"description": [
{
"lang": "en",
"value": "CWE-377"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory."
}
],
"lastModified": "2026-04-30T14:25:36.860",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5B1C9BD7-7555-4B3D-AED9-60C3C13DCF46",
"versionEndExcluding": "2.7.33"
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "28EE6470-24FD-49D1-A2F0-7A19B290A161",
"versionEndExcluding": "3.3.19",
"versionStartIncluding": "3.3.0"
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "758A9E8F-0C52-43D9-8D84-69622B345A4E",
"versionEndExcluding": "3.4.16",
"versionStartIncluding": "3.4.0"
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D23096A1-8269-46C5-9215-9098E87D0A24",
"versionEndExcluding": "3.5.14",
"versionStartIncluding": "3.5.0"
},
{
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441",
"versionEndExcluding": "4.0.6",
"versionStartIncluding": "4.0.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security@vmware.com"
}
}