Home
MEDIUM: 4.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:HDefault status
unaffected
4.0.0 (custom) before 4.0.6
affected
3.5.0 (custom) before 3.5.14
affected
3.4.0 (custom) before 3.4.16
affected
3.3.0 (custom) before 3.3.19
affected
2.7.0 (custom) before 2.7.33
affected
Description
When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.
Problem types
CWE-59: Improper Link Resolution Before File Access
Product status
4.0.0 (custom) before 4.0.6
3.5.0 (custom) before 3.5.14
3.4.0 (custom) before 3.4.16
3.3.0 (custom) before 3.3.19
2.7.0 (custom) before 2.7.33
References
spring.io/security/cve-2026-40977