Spring Product Security Update Advisory

Apr 28 2026

Overview

A security update was released to address a vulnerability in Spring products. users of the affected products were advised to update to the latest version.

Affected Products and Versions

Spring Boot 4.0.0 or later and 4.0.5 or earlier.
Spring Boot 3.5.0 or later and 3.5.13 or earlier.
Spring Boot 3.4.0 or later and 3.4.15 or earlier.
Spring Boot 3.3.0 or later and 3.3.18 or earlier.
Spring Boot 2.7.0 or later, but not earlier than 2.7.32.

Resolved Vulnerabilities

CVE-2026-40972: DevTools remote secret comparison in Spring Boot is vulnerable to timing attacks.
CVE-2026-40973: Predictable temporary directory स्वीकार without ownership verification in Spring Boot.

Patch versions

Spring Boot 4.0.6.
Spring Boot 3.5.14.
Spring Boot 3.4.16.
Spring Boot 3.3.19.
Spring Boot 2.7.33.

Note

it is necessary to update to the latest version of the Vulnerability Patch by following the instructions on the reference site.

Spring Product Security Update Advisory

Overview

Affected Products and Versions

Resolved Vulnerabilities

Patch versions

Note

OpenSSL Product Security Update Advisory

Mozilla Product Security Update Advisory

Overview

Affected Products and Versions

Resolved Vulnerabilities

Patch versions

Note

Tags:

OpenSSL Product Security Update Advisory

Mozilla Product Security Update Advisory