CVE-2026-40975
Summary
| CVE | CVE-2026-40975 |
|---|---|
| State | PUBLISHED |
| Assigner | vmware |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-28 00:16:24 UTC |
| Updated | 2026-06-30 03:19:21 UTC |
| Description | Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.000280000 probability, percentile 0.077440000 (date 2026-04-28)
Problem Types: CWE-330 | CWE-338 | CWE-330 CWE-330: Use of Insufficiently Random Values | CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | ADP | CVSS | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| 3.1 | [email protected] | Secondary | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| 3.1 | CNA | CVSS | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Vmware | Spring Boot | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Spring | Spring Boot | affected 4.0.0 4.0.6 custom | Not specified |
| CNA | Spring | Spring Boot | affected 3.5.0 3.5.14 custom | Not specified |
| CNA | Spring | Spring Boot | affected 3.4.0 3.4.16 custom | Not specified |
| CNA | Spring | Spring Boot | affected 3.3.0 3.3.19 custom | Not specified |
| CNA | Spring | Spring Boot | affected 2.7.0 2.7.33 custom | Not specified |
| ADP | Red Hat | HawtIO HawtIO 4.4.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8.6.1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.28 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4.18.1 For Spring Boot 3.5.14 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Clients | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of OptaPlanner 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat Process Automation 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| spring.io/security/cve-2026-40975 | [email protected] | spring.io | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:17668 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40975.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21772 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-40975 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22619 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-28T00:01:58.716Z | Reported to Red Hat. |
| ADP | 2026-04-27T23:32:58.596Z | Made public. |
Solutions
ADP: RHSA-2026:25089: HawtIO HawtIO 4.4.0
ADP: RHSA-2026:22619: Red Hat Data Grid 8.6.1
ADP: RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28
ADP: RHSA-2026:17668: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14
Workarounds
ADP: Applications utilizing Spring Boot should avoid using the `${random.value}` property for generating cryptographic secrets or other security-sensitive data. Developers should review their application configurations and code to ensure that only cryptographically strong random number generators are used for such purposes. For UUID generation, `${random.uuid}` is not affected and can be used.