CVE-2026-40992 | THREATINT

Description

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-11 | Updated 2026-06-11 | Assigner vmware

MEDIUM: 5.0CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status

unaffected

4.0.0 (custom) before 4.0.7

affected

3.5.0 (custom) before 3.5.15

affected

3.4.0 (custom) before 3.4.17

affected

References

spring.io/security/cve-2026-40992

cve.org (CVE-2026-40992)

nvd.nist.gov (CVE-2026-40992)

Download JSON