CVE-2026-40975

EUVD-2026-25939

28.04.2026, 00:16

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
vmware	spring_boot	𝑥 < 2.7.33
vmware	spring_boot	3.3.0 ≤ 𝑥 < 3.3.19
vmware	spring_boot	3.4.0 ≤ 𝑥 < 3.4.16
vmware	spring_boot	3.5.0 ≤ 𝑥 < 3.5.14
vmware	spring_boot	4.0.0 ≤ 𝑥 < 4.0.6

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-330 - Use of Insufficiently Random Values
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Vulnerability Media Exposure

[GERMAN] VMware Tanzu Spring Boot: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in VMware Tanzu Spring Boot ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Daten zu manipulieren oder offenzulegen oder authentifizierte Benutzer zu kapern.
Published: 2026-04-23T22:00:00+00:00

References

https://spring.io/security/cve-2026-40975