CVE-2026-40976: Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

April 28, 2026 (updated May 6, 2026)

In certain circumstances, Spring Boot’s default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.

Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

References

github.com/advisories/GHSA-8v8j-3hxp-93wr
github.com/spring-projects/spring-boot
nvd.nist.gov/vuln/detail/CVE-2026-40976
spring.io/security/cve-2026-40976

Code Behaviors & Features

Detect and mitigate CVE-2026-40976 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →