Spring Boot bypasses default security (CVE-2026-40976)

Patch now - CVE-2026-40976 is a critical default security bypass in Spring Boot 4.0.0 through 4.0.5 that grants unauthenticated access to all web endpoints, including sensitive actuator endpoints. Patched in version 4.0.6; update immediately.

Overview

CVE-2026-40976 (CVSS 9.1, CRITICAL) affects servlet-based Spring Boot web applications that rely entirely on the default auto-configured security filter chain and depend on the spring-boot-actuator-autoconfigure module. When spring-boot-health is not present on the classpath and the application has no custom Spring Security configuration, the default web security becomes ineffective. An unauthenticated attacker can reach every endpoint, including actuator endpoints that may expose sensitive application internals, environment variables, or enable dangerous operations such as shutdown or heap dumps.

The vulnerability arises because the default security filter chain in affected versions of Spring Boot does not properly enforce authentication when the actuator autoconfiguration module is loaded but the health endpoint module is absent. This creates a mismatch in the security filter chain assembly, leaving all paths unprotected.

Impact

An attacker with network access to a vulnerable application can:

• Access all actuator endpoints without authentication
• Read environment variables, configuration properties, and application secrets
• Trigger operations like shutdown, heap dump, or thread dump via actuator endpoints
• Indirectly pivot to further compromise of the application or its underlying infrastructure

While the attacker cannot execute arbitrary code directly, the information disclosure from actuator endpoints often provides the credentials, API keys, or infrastructure details needed to escalate to RCE or lateral movement. Public data breach reports frequently trace the initial foothold to unprotected actuator endpoints.

Remediation

Upgrade Spring Boot: The vendor has fixed this issue in version 4.0.6. All users running 4.0.0 through 4.0.5 should upgrade immediately. For environments where upgrading is not immediately possible, apply one or more of these mitigations:

1. Add spring-boot-health to your project dependencies. This module’s presence prevents the vulnerability trigger condition.
2. Add explicit Spring Security configuration (even an empty @EnableWebSecurity annotated class) to override the default security filter chain.
3. Deploy a reverse proxy or API gateway that enforces authentication before requests reach the Spring Boot application.
4. Restrict network access to the application to trusted IP ranges only.

Note that mitigation (1) is not a comprehensive security measure - it simply avoids the vulnerable code path. Full mitigation requires upgrading to 4.0.6 or applying explicit security configuration.

Security Insight

This vulnerability represents a recurring class of issue in auto-configuration frameworks: the interaction of two optional modules creating an unexpected security gap. Unlike a traditional code-level bug, this was a filter chain assembly logic error that left authentication enforcement unloaded. It mirrors historical issues in Spring Security auto-configuration where the presence or absence of certain dependencies silently changed the security posture. The lesson for development teams is that relying on framework defaults without explicit verification creates invisible attack surface, and dependency management decisions can have direct security implications that no amount of code review can catch.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs