Multiple CVEs Affecting Spring Framework Released on April 27, 2026

Multiple CVEs Affecting Spring Framework Released on April 27, 2026

First seen 27 Apr 2026, 18:01 UTC spring.ioCcb.Belgium.Be 79% similarity 72.0

Article Content

Browse articles
ThreatCluster

On April 27, 2026, three critical vulnerabilities were disclosed for the Spring Framework. CVE-2026-40973 allows local attackers to hijack sessions by exploiting predictable temp directory permissions. CVE-2026-40972 enables remote attackers on the same network to execute code via timing attacks on remote secrets. CVE-2026-40976 reveals ineffective default web security, permitting unauthorized access to endpoints. All affected versions, including those no longer supported, require immediate upgrades to fixed versions. No further mitigation steps are necessary for users. The vulnerabilities pose significant risks to applications using the Spring Framework, especially in multi-user environments. Users are urged to act promptly to secure their applications.

Key Points: • CVE-2026-40973 allows local session hijacking via temp directory exploitation. • CVE-2026-40972 enables remote code execution through timing attacks on secrets. • CVE-2026-40976 exposes applications to unauthorized access due to weak security.

ThreatCluster AI

Timeline

2026-04-27
CVE-2026-40973 disclosed
2026-04-27
CVE-2026-40972 disclosed
2026-04-27
CVE-2026-40976 disclosed

Community

Browse all →