Spring Boot 4.0.x default security silently drops all authorization
TL;DR - Spring Boot 4.0.0-4.0.5 silently drops effective authorization when your app has spring-boot-actuator-autoconfigure present but not spring-boot-health, and you're relying on the default security filter chain. Every endpoint becomes reachable without authentication. Fixed in 4.0.6.
What happened
Spring Boot is the opinionated Java application framework behind a significant share of production microservices. On April 24, 2026, CERT-FR published CERTFR-2026-AVI-0488 covering eight Spring Boot vulnerabilities (CVE-2026-40970 through CVE-2026-40977), with the risk summary spanning remote arbitrary code execution, confidentiality and integrity impact, and security policy bypass.
The most dangerous item is CVE-2026-40976 (Critical). Under a specific but realistic dependency combination, Spring Boot's default web security filter chain becomes entirely ineffective - meaning all endpoints are exposed to unauthenticated access. The full precondition set:
- servlet-based web application
- no custom Spring Security configuration (default web security filter chain in use)
spring-boot-actuator-autoconfigurepresentspring-boot-healthabsent
This is the kind of footgun that's easy to miss. Actuator dependency selection varies by starter and by environment - a starter that pulls in Actuator but not Health is not an unusual configuration. Teams relying on the default security path have no obvious signal that authorization has silently stopped working.
The remaining CVEs in this batch cover TLS hostname verification gaps in auto-configured clients using SSL bundles (Elasticsearch, RabbitMQ, Cassandra), plus local-attack surfaces: ApplicationTemp directory control and PID file symlink-following.
Who is impacted
For CVE-2026-40976 specifically: Spring Boot 4.0.0-4.0.5 applications meeting all four preconditions above.
The wider advisory batch from CERT-FR covers a broader set of supported release lines:
| Spring Boot line | Affected versions | Fixed version |
|---|---|---|
| 2.7.x | < 2.7.33 | 2.7.33 |
| 3.3.x | < 3.3.19 | 3.3.19 |
| 3.4.x | < 3.4.16 | 3.4.16 |
| 3.5.x | < 3.5.14 | 3.5.14 |
| 4.0.x | < 4.0.6 | 4.0.6 |
Note that CVE-2026-40976 is scoped to 4.0.0-4.0.5 only. Other CVEs in the batch apply across multiple supported and unsupported branches - check the individual advisories for exact scope.
What to do now
- Upgrade to the fixed release for your branch. Apply the latest patched release available at the time of writing.
"Users of affected versions should upgrade to the corresponding fixed version."
- Inventory every service pinned to Spring Boot
4.0.0-4.0.5. For each, audit the dependency graph:- Is it a servlet-based app?
- Is it using the default Spring Security filter chain with no custom configuration?
- Is
spring-boot-actuator-autoconfigureon the classpath? - Is
spring-boot-healthabsent?
- Any service matching all four conditions should be treated as having fully unprotected endpoints until patched.
- Prioritise:
- externally reachable services
- services with Actuator endpoints enabled or exposed through ingress
- If you suspect exposure, review HTTP access logs for requests to endpoints that should have been protected. Rotate credentials accessible from the affected service runtime.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.