{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40973", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-27T23:29:51.946Z", "dateUpdated": "2026-04-28T12:42:40.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:29:51.946Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-377: Insecure Temporary File", "type": "CWE", "cweId": "CWE-377"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability HIGH."}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A local attacker on the same host as the application may be able to take control of the directory used by <code>ApplicationTemp</code>. When <code>server.servlet.session.persistent</code> is set to <code>true</code> and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); predictable temp directory / <code>ApplicationTemp</code> ownership verification. Versions that are no longer supported are also affected per vendor advisory.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40973"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T12:42:23.335248Z", "id": "CVE-2026-40973", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:42:40.156Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40973", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-27T23:29:51.946Z", "dateUpdated": "2026-04-28T12:42:40.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:29:51.946Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-377: Insecure Temporary File", "type": "CWE", "cweId": "CWE-377"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality HIGH; Integrity HIGH; Availability HIGH."}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A local attacker on the same host as the application may be able to take control of the directory used by <code>ApplicationTemp</code>. When <code>server.servlet.session.persistent</code> is set to <code>true</code> and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); predictable temp directory / <code>ApplicationTemp</code> ownership verification. Versions that are no longer supported are also affected per vendor advisory.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40973"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40973", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-28T12:42:23.335248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:42:35.598Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory."}], "id": "CVE-2026-40973", "lastModified": "2026-04-28T00:16:24.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-28T00:16:24.357", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-40973"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-377"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.0,2.7.33)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring Boot", "source": "cna", "vendor": "Spring"}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-28T12:42:08.228205+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest supported Spring Boot release that includes the fix (e.g., 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 or newer).", "Disable persistent HTTP sessions by configuring server.servlet.session.persistent=false if an upgrade cannot be performed immediately.", "Ensure the application\u2019s temporary directory (ApplicationTemp) is owned by a less privileged user or otherwise protected, and prevent arbitrary write access from local users.", "Verify application configuration to enforce directory ownership checks and consider moving the temporary folder to a secure, isolated location."], "summary": {"action": "Patch Immediately", "impact": "Session Hijack and Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Spring:Spring Boot versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32. The fix was introduced in Spring Boot 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33, respectively. Any releases beyond those ranges, including older unsupported versions, may also be impacted.", "description_and_impact": "Spring Boot applications that enable persistent sessions and rely on the default ApplicationTemp location can be compromised by a local attacker who has file system access on the same host. By controlling the contents of the temporary directory, the attacker can read or modify session data, enabling hijack of authenticated users. If the attacker can also inject a gadget chain into that directory, code execution under the application\u2019s user account becomes possible. The weakness is characterized by CWE-377, reflecting improper control of code and data generation.", "risk_and_exploitability": "The CVSS score of 7 classifies this issue as a high\u2011severity vulnerability, yet the exploit probability remains unknown as EPSS data is missing and the vulnerability is not in the CISA KEV catalogue. Attacks require local host access, the application to have persistent sessions enabled, and the ability to read or modify the ApplicationTemp directory. Consequently, the primary threat is limited to environments where an attacker already has foothold on the same machine, but the damage\u2014session hijacking, credential theft, and possible application\u2011level code execution\u2014can be severe."}}}}, "created": "2026-04-28T02:15:18.517604+00:00", "title": "Local Directory Control Enables Session Hijacking and Code Execution in Spring Boot", "updated": "2026-04-28T12:45:31.399795+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}