Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for Elasticsearch, Cassandra, and RabbitMQ that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as CVE-2026-40970, CVE-2026-40974, and CVE-2026-40971, respectively, and could weaken certificate validation for connections to those backend services.
A fourth advisory, CVE-2026-40972, affects Spring DevTools and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
Timeline
Apr 23, 2026
Spring discloses CVE-2026-40974 in Cassandra SSL auto-configuration
Spring published an advisory for CVE-2026-40974, stating that Cassandra SSL auto-configuration disables TLS hostname verification.
Apr 23, 2026
Spring discloses CVE-2026-40972 affecting DevTools secret comparison
Spring published an advisory for CVE-2026-40972, reporting that DevTools remote secret comparison is vulnerable to timing attacks.
Apr 23, 2026
Spring discloses CVE-2026-40971 in RabbitMQ SSL auto-configuration
Spring published an advisory for CVE-2026-40971, stating that RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification.
Apr 23, 2026
Spring discloses CVE-2026-40970 in Elasticsearch SSL auto-configuration
Spring published an advisory for CVE-2026-40970, stating that Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Spring discloses Spring AI injection flaw and Spring gRPC security context issues
Spring published three security advisories covering **Spring AI** and **Spring gRPC**, including `CVE-2026-40967`, a flaw in VectorStore `FilterExpressionConverter` implementations that can let attackers manipulate generated vector store queries because keys and values are not properly escaped. The issue affects Spring AI versions `1.0.0` through `1.0.5` and `1.1.0` through `1.1.4`, and is fixed in `1.0.6` and `1.1.5`. External vulnerability tracking describes the bug as a high-severity code or query injection risk with CVSS `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L` and maps it to `CWE-94`. Spring also disclosed two **Spring gRPC** vulnerabilities: `CVE-2026-40968`, in which `SecurityContext` data can leak across requests after an authorization failure, and `CVE-2026-40969`, where an `AuthenticationException` message may be reflected back to a remote client. Together, the advisories point to risks of query manipulation, cross-request security context exposure, and unintended error-message disclosure in applications built on affected Spring components.
1 weeks ago
dCERT Flags vLLM Flaws and Spring Security Authentication Bypass
dCERT published two security advisories covering separate software risks: **multiple vulnerabilities in `vllm`** and a **VMware Tanzu Spring Security flaw that can bypass security measures**. The `vllm` advisory identifies more than one issue affecting the large language model serving software, while the Spring Security advisory warns that affected deployments may allow protections to be circumvented. The notices indicate that organizations using either product should review the relevant dCERT advisories, determine exposure in their environments, and prioritize remediation. The Spring Security issue is especially significant for internet-facing or authentication-dependent applications because a bypass in security controls can undermine access restrictions, while the `vllm` findings raise concern for AI infrastructure operators running vulnerable versions in production or shared environments.
Today
Spring Issues Security Updates Across Boot, Framework, Security, and Gateway
Spring published multiple security advisories covering several widely used components, including **Spring Cloud Gateway**, **Spring Security**, **Spring Authorization Server**, **Spring Framework**, and a critical update for **Spring Boot**. The Canadian Centre for Cyber Security said the advisories were released between April 9 and April 23 and identified affected version ranges across these product lines, with Spring Boot fixes specifically issued for the `4.0.x`, `3.5.x`, `3.4.x`, `3.3.x`, and `2.7.x` release branches. Canadian authorities urged organizations to review the referenced Spring advisories and apply the vendor updates for all impacted deployments. The notices describe the issue as a patching and vulnerability-management matter rather than confirmed active exploitation, but they emphasize that administrators should promptly update affected Spring environments to the patched versions listed by the vendor.
1 weeks ago