Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

GHSA-8v8j-3hxp-93wr · CVE-2026-40976

Published Apr 28, 2026 · Modified May 13, 2026

Description

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40976
PACKAGE https://github.com/spring-projects/spring-boot
WEB https://spring.io/security/cve-2026-40976

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes