HIGH | APRIL 23, 2026 | CVE-2026-40972
Description An attacker on the same network as the remote application may be able to utilize a timing
attack to discover information about the remote secret. In extreme circumstances this
could result in the attacker determining the secret and uploading…
MEDIUM | APRIL 23, 2026 | CVE-2026-40975
Description Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is
not affected. ${random.int} and ${random.long} should never be used for secrets as they
are numeric values with a predictable range. Affected Spring Products…
MEDIUM | APRIL 23, 2026 | CVE-2026-40971
Description When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does
not perform hostname verification when connecting to the RabbitMQ broker. Affected Spring Products and Versions Spring Boot: 4.0.0 - 4.0.5 3.5.0 - 3.5.1…
CRITICAL | APRIL 23, 2026 | CVE-2026-40976
Description In certain circumstances, Spring Boot's default web security is ineffective allowing
unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application have no Spring Security configuration of its…
MEDIUM | APRIL 23, 2026 | CVE-2026-40977
Description When an application is configured to use ApplicationPidFileWriter, a local attacker
with write access to the PID file's location can corrupt one file on the host each time
the application is started. Affected Spring Products and Versions Spring…
CRITICAL | APRIL 21, 2026 | CVE-2026-22752
Description Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a…
MEDIUM | APRIL 21, 2026 | CVE-2026-22751
Description Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.
An attacker with a valid one-time token can send concurrent requests to the…
LOW | APRIL 20, 2026 | CVE-2026-22746
Description If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled…
MEDIUM | APRIL 20, 2026 | CVE-2026-22747
Description SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating…
MEDIUM | APRIL 20, 2026 | CVE-2026-22748
Description When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This is easy to miss when using NimbusJwtDecoder…
