GHSA-m4x9-hx6x-2c43

Source

https://github.com/advisories/GHSA-m4x9-hx6x-2c43

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m4x9-hx6x-2c43/GHSA-m4x9-hx6x-2c43.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m4x9-hx6x-2c43

Aliases

CVE-2026-40975

Published

2026-04-28T00:31:41Z

Modified

2026-05-06T19:02:37.603257Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Spring Boot's random value property source uses a weak PRNG unsuitable for secrets

Details

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

Database specific

{
    "cwe_ids": [
        "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T18:54:42Z",
    "nvd_published_at": "2026-04-28T00:16:24Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.6

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m4x9-hx6x-2c43/GHSA-m4x9-hx6x-2c43.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.5.0

Fixed

3.5.14

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m4x9-hx6x-2c43/GHSA-m4x9-hx6x-2c43.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Last affected

3.4.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m4x9-hx6x-2c43/GHSA-m4x9-hx6x-2c43.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Last affected

3.3.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m4x9-hx6x-2c43/GHSA-m4x9-hx6x-2c43.json"

org.springframework.boot:spring-boot-cassandra

Package

Name: org.springframework.boot:spring-boot-cassandra; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot-cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.7.32

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m4x9-hx6x-2c43/GHSA-m4x9-hx6x-2c43.json"