Back

Multiple CVEs Affecting Spring Framework Released on April 27, 2026

Severity: High (Score: 72.0)

Sources: spring.io

Summary

On April 27, 2026, three critical vulnerabilities were disclosed for the Spring Framework. CVE-2026-40973 allows local attackers to hijack sessions by exploiting predictable temp directory permissions. CVE-2026-40972 enables remote attackers on the same network to execute code via timing attacks on remote secrets. CVE-2026-40976 reveals ineffective default web security, permitting unauthorized access to endpoints. All affected versions, including those no longer supported, require immediate upgrades to fixed versions. No further mitigation steps are necessary for users. The vulnerabilities pose significant risks to applications using the Spring Framework, especially in multi-user environments. Users are urged to act promptly to secure their applications. Key Points: • CVE-2026-40973 allows local session hijacking via temp directory exploitation. • CVE-2026-40972 enables remote code execution through timing attacks on secrets. • CVE-2026-40976 exposes applications to unauthorized access due to weak security.

Key Entities

  • Zero-day Exploit (attack_type)
  • CVE-2026-40972 (cve)
  • CVE-2026-40973 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • Apache Tomcat (platform)
  • OpenJDK (platform)
  • Spring (platform)
  • Spring Boot (platform)
  • Tanzu Spring (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed