GHSA-56v8-86gj-66jp

Source

https://github.com/advisories/GHSA-56v8-86gj-66jp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-56v8-86gj-66jp/GHSA-56v8-86gj-66jp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-56v8-86gj-66jp

Aliases

CVE-2026-40972

Published

2026-04-28T00:31:40Z

Modified

2026-05-06T19:19:53.074180Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

Details

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

Database specific

{
    "cwe_ids": [
        "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:02:13Z",
    "nvd_published_at": "2026-04-28T00:16:24Z",
    "severity": "HIGH"
}

References

Affected packages

Maven

org.springframework.boot:spring-boot-devtools

Package

Name: org.springframework.boot:spring-boot-devtools; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-devtools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.6

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-56v8-86gj-66jp/GHSA-56v8-86gj-66jp.json"

org.springframework.boot:spring-boot-devtools

Package

Name: org.springframework.boot:spring-boot-devtools; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-devtools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.5.0

Fixed

3.5.14

Affected versions

3.*

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-56v8-86gj-66jp/GHSA-56v8-86gj-66jp.json"

org.springframework.boot:spring-boot-devtools

Package

Name: org.springframework.boot:spring-boot-devtools; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-devtools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Last affected

3.4.15

Affected versions

3.*

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.4.10

3.4.11

3.4.12

3.4.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-56v8-86gj-66jp/GHSA-56v8-86gj-66jp.json"

org.springframework.boot:spring-boot-devtools

Package

Name: org.springframework.boot:spring-boot-devtools; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-devtools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Last affected

3.3.18

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.3.11

3.3.12

3.3.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-56v8-86gj-66jp/GHSA-56v8-86gj-66jp.json"

org.springframework.boot:spring-boot-devtools

Package

Name: org.springframework.boot:spring-boot-devtools; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-devtools

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.7.32

Affected versions

1.*

1.3.0.RELEASE

1.3.1.RELEASE

1.3.2.RELEASE

1.3.3.RELEASE

1.3.4.RELEASE

1.3.5.RELEASE

1.3.6.RELEASE

1.3.7.RELEASE

1.3.8.RELEASE

1.4.0.RELEASE

1.4.1.RELEASE

1.4.2.RELEASE

1.4.3.RELEASE

1.4.4.RELEASE

1.4.5.RELEASE

1.4.6.RELEASE

1.4.7.RELEASE

1.5.0.RELEASE

1.5.1.RELEASE

1.5.2.RELEASE

1.5.3.RELEASE

1.5.4.RELEASE

1.5.5.RELEASE

1.5.6.RELEASE

1.5.7.RELEASE

1.5.8.RELEASE

1.5.9.RELEASE

1.5.10.RELEASE

1.5.11.RELEASE

1.5.12.RELEASE

1.5.13.RELEASE

1.5.14.RELEASE

1.5.15.RELEASE

1.5.16.RELEASE

1.5.17.RELEASE

1.5.18.RELEASE

1.5.19.RELEASE

1.5.20.RELEASE

1.5.21.RELEASE

1.5.22.RELEASE

2.*

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.0.6.RELEASE

2.0.7.RELEASE

2.0.8.RELEASE

2.0.9.RELEASE

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.1.5.RELEASE

2.1.6.RELEASE

2.1.7.RELEASE

2.1.8.RELEASE

2.1.9.RELEASE

2.1.10.RELEASE

2.1.11.RELEASE

2.1.12.RELEASE

2.1.13.RELEASE

2.1.14.RELEASE

2.1.15.RELEASE

2.1.16.RELEASE

2.1.17.RELEASE

2.1.18.RELEASE

2.2.0.RELEASE

2.2.1.RELEASE

2.2.2.RELEASE

2.2.3.RELEASE

2.2.4.RELEASE

2.2.5.RELEASE

2.2.6.RELEASE

2.2.7.RELEASE

2.2.8.RELEASE

2.2.9.RELEASE

2.2.10.RELEASE

2.2.11.RELEASE

2.2.12.RELEASE

2.2.13.RELEASE

2.3.0.RELEASE

2.3.1.RELEASE

2.3.2.RELEASE

2.3.3.RELEASE

2.3.4.RELEASE

2.3.5.RELEASE

2.3.6.RELEASE

2.3.7.RELEASE

2.3.8.RELEASE

2.3.9.RELEASE

2.3.10.RELEASE

2.3.11.RELEASE

2.3.12.RELEASE

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.5.12

2.5.13

2.5.14

2.5.15

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-56v8-86gj-66jp/GHSA-56v8-86gj-66jp.json"