Home
MEDIUM: 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NDefault status
unaffected
4.0.0 (custom) before 4.0.6
affected
3.5.0 (custom) before 3.5.14
affected
3.4.0 (custom) before 3.4.16
affected
3.3.0 (custom) before 3.3.19
affected
2.7.0 (custom) before 2.7.33
affected
Description
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.
Problem types
CWE-330: Use of Insufficiently Random Values
Product status
4.0.0 (custom) before 4.0.6
3.5.0 (custom) before 3.5.14
3.4.0 (custom) before 3.4.16
3.3.0 (custom) before 3.3.19
2.7.0 (custom) before 2.7.33
References
spring.io/security/cve-2026-40975