CVE-2026-40972

high VMware
CVSS v3 Base Score
7.5
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.1%
Exploitation probability in 30 days
Top 84% most likely to be exploited
Attack Characteristics
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: April 28, 2026 (16 days ago)
Last Modified: April 30, 2026
Vendor: VMware
Source: NVD

Description

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

CWE

CWE-208

Affected Products

vmware spring boot

References

🔗 spring.io