GHSA-8v8j-3hxp-93wr

Source

https://github.com/advisories/GHSA-8v8j-3hxp-93wr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-8v8j-3hxp-93wr/GHSA-8v8j-3hxp-93wr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8v8j-3hxp-93wr

Aliases

CVE-2026-40976

Downstream

MINI-235v-2h4r-f866

Related

CGA-q8x6-f684-36q2

Published

2026-04-28T00:31:41Z

Modified

2026-05-13T23:44:30.269054640Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

Details

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Database specific

{
    "github_reviewed_at": "2026-05-06T18:54:08Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "nvd_published_at": "2026-04-28T00:16:24Z",
    "severity": "CRITICAL"
}

References

Affected packages

Maven / org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.6

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-8v8j-3hxp-93wr/GHSA-8v8j-3hxp-93wr.json"