CVE-2026-40977

EUVD-2026-25941

28.04.2026, 00:16

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.7 MEDIUM	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Vulnerability Media Exposure

[GERMAN] VMware Tanzu Spring Boot: Angreifer können auf Endpoints zugreifen
Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in der VMware-Tanzu-Spring-Framework-Komponente Spring Boot.
Published: 2026-04-27T07:44:00+00:00

References

https://spring.io/security/cve-2026-40977