Home

Description

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.

PUBLISHED Reserved 2026-04-16 | Published 2026-04-27 | Updated 2026-04-29 | Assigner vmware




HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-377: Insecure Temporary File

Product status

Default status
unaffected

4.0.0 (custom) before 4.0.6
affected

3.5.0 (custom) before 3.5.14
affected

3.4.0 (custom) before 3.4.16
affected

3.3.0 (custom) before 3.3.19
affected

2.7.0 (custom) before 2.7.33
affected

References

spring.io/security/cve-2026-40973

cve.org (CVE-2026-40973)

nvd.nist.gov (CVE-2026-40973)

Download JSON