CVE-2026-40970: Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.

April 27, 2026 (updated May 6, 2026)

When configured to use an SSL bundle, Spring Boot’s Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

References

github.com/advisories/GHSA-c96x-rpm4-349p
github.com/spring-projects/spring-boot
github.com/spring-projects/spring-boot/releases/tag/v4.0.6
nvd.nist.gov/vuln/detail/CVE-2026-40970
spring.io/security/cve-2026-40970

Code Behaviors & Features

Detect and mitigate CVE-2026-40970 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →