CVE-2026-40970

medium

VMware

CVSS v3 Base Score

5.0

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score

0.0%

Exploitation probability in 30 days

Top 95% most likely to be exploited

Attack Characteristics

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Confidentiality

Low

Integrity

Low

Availability

Low

Published: April 27, 2026 (19 days ago)

Last Modified: May 14, 2026

Vendor: VMware

Source: NVD

Description

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

CWE

CWE-295

Affected Products

vmware spring boot

References

🔗 spring.io

CVE-2026-40970

Vulnerability Report

Description

CWE

Affected Products

References