CVE-2026-40973
HIGHDescription
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Is your site exposed to CVE-2026-40973?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| vmware | spring_boot |
| vmware | spring_boot |
| vmware | spring_boot |
| vmware | spring_boot |
| vmware | spring_boot |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-40973? +
How severe is CVE-2026-40973? +
What products are affected by CVE-2026-40973? +
How do I check if I'm vulnerable to CVE-2026-40973? +
Related Vulnerabilities
Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused …
Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set …
An insecure temporary file creation vulnerability exists in the AutoExtract component of Robocode version 1.9.3.6. The createTempFile method fails to …
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (Windows client deployments) …
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is …
Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker …