Spring Boot 4.0.6 Released: Urgent Fix for 8 Security Vulnerabilities – Verify Your Version

Spring Boot 4.0.6 has been officially released. This is a maintenance release (no new features) that contains 65 bug fixes, documentation improvements, dependency upgrades, and fixes for eight CVE security issues.

Critical vulnerability

1. Actuator endpoint unauthorized access (CVE‑2026‑40976, Critical)

Affected versions: 4.0.x. Fixed in 4.0.6 (OSS). The default web security may allow any Actuator endpoint to be accessed without authentication, posing a severe risk.

High‑risk vulnerabilities

1. Remote key disclosure (CVE‑2026‑40972, High)

Affected versions: 4.0.x, 3.5.x, 3.4.x, 3.3.x, 2.7.x. Fixed in 4.0.6 (OSS) and corresponding patch versions for older branches (3.5.14, 3.4.16, 3.3.19, 2.7.33). An attacker on the same network could obtain remote keys and potentially execute code by uploading modified class files.

2. Authenticated user hijacking (CVE‑2026‑40973, High)

Affected versions: same as above. Fixed in the same versions. If server.servlet.session.persistent=true and an attacker controls the ApplicationTemp directory, they can read session data after a restart, hijack users, or deploy a gadget chain.

Medium‑risk vulnerabilities

Elasticsearch SSL hostname verification missing (CVE‑2026‑40970) – Affected 4.0.x, fixed in 4.0.6. The auto‑configuration does not verify TLS hostnames, exposing a MITM risk.

RabbitMQ SSL hostname verification missing (CVE‑2026‑40971) – Same impact and fix as above for RabbitMQ.

Cassandra SSL hostname verification missing (CVE‑2026‑40974) – Same impact and fix for Cassandra.

Predictable random‑value keys (CVE‑2026‑40975) – Using ${random.value} for keys is unsafe because ${random.int} and ${random.long} are predictable; ${random.uuid} is not affected.

File destruction on host (CVE‑2026‑40977) – When ApplicationPidFileWriter is enabled, a local attacker with write access to the PID file location can overwrite a file on each application start.

Upgrade to the corresponding fixed version (e.g., 4.0.6 for 4.0.x, 3.5.14 for 3.5.x, etc.) to mitigate these risks. The release notes emphasize that even minor version updates can contain critical security fixes.