View all Vulnerabilities

CVE-2026-40972

Information Exposure
Affects
Spring Boot
in
Spring
No items found.
Versions
>=1.3.0 <=2.7.32, >=3.3.0 <=3.3.18, >=3.4.0 <=3.4.15, >=3.5.0 <=3.5.13, >=4.0.0 <=4.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Boot is an open-source framework from the Spring team that simplifies building production-grade Java applications by providing opinionated auto-configuration, embedded servlet containers, and convention-based starters. Spring Boot DevTools is a developer-productivity module that, when remote support is enabled via spring.devtools.remote.secret, exposes an HTTP dispatcher for live class reloading and JDWP-style tunneling from a developer workstation to a running remote application.

A high-severity vulnerability (CVE-2026-40972) has been identified in the DevTools remote-access guard, HttpHeaderAccessManager. The class compared the secret header supplied by the caller against the configured secret using java.lang.String.equals, which short-circuits on the first mismatching character. A network-adjacent attacker can measure per-request response times to recover the secret one byte at a time. Once the secret is known, the attacker can authenticate to the DevTools remote endpoint, upload attacker-controlled class bytes through the remote restart server, and achieve remote code execution in the application JVM.

Per OWASP: "Processing timing may give/leak information on what is being done in the application/system background processes. It is possible that attackers can gather information on an application by monitoring the time it takes to complete a task or give a response." Authentication and secret comparison primitives are expected to execute in constant time so that this timing channel is closed.

This issue affects Spring Boot >=1.3.0 <=2.7.32, >=3.3.0 <=3.3.18, >=3.4.0 <=3.4.15, >=3.5.0 <=3.5.13, and >=4.0.0 <=4.0.5.

Details

Module Info

Vulnerability Info

Spring Boot DevTools can be configured to accept remote connections from a developer workstation by setting spring.devtools.remote.secret on the running application. When this property is set, RemoteDevToolsAutoConfiguration registers a DispatcherFilter that routes requests under the remote context path (default /.~~spring-boot!~) to DevTools handlers, including HttpRestartServer (remote class upload and live restart) and HttpTunnelServer (reverse tunnel). Every request to these handlers is gated by a single AccessManager bean, HttpHeaderAccessManager, which compares the value of a configurable HTTP header (spring.devtools.remote.secret-header-name, default X-AUTH-TOKEN) against the configured secret.

In the vulnerable implementation, HttpHeaderAccessManager held the expected secret as a String and performed the comparison with String.equals:

public class HttpHeaderAccessManager implements AccessManager {

    private final String headerName;

    private final String expectedSecret;

    public HttpHeaderAccessManager(String headerName, String expectedSecret) {
        Assert.hasLength(headerName, "'headerName' must not be empty");
        Assert.hasLength(expectedSecret, "'expectedSecret' must not be empty");
        this.headerName = headerName;
        this.expectedSecret = expectedSecret;
    }

    @Override
    public boolean isAllowed(ServerHttpRequest request) {
        String providedSecret = request.getHeaders().getFirst(this.headerName);
        return this.expectedSecret.equals(providedSecret);
    }

}

String.equals walks the two strings character by character and returns false at the first mismatch. The time spent inside isAllowed therefore scales with the length of the matching prefix between the attacker's guess and the real secret. An attacker on the same network as the remote application can submit repeated guesses and measure response times with sub-millisecond precision; by keeping the guess that took marginally longer, the attacker recovers the secret one byte at a time. The CVSS vector AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H reflects that the attack requires network adjacency and careful timing measurement (high attack complexity) but no prior credentials or user interaction.

Once the secret is recovered, the attacker is an authenticated DevTools remote client. Posting to the remote restart endpoint with attacker-supplied class bytes causes the DevTools restart class loader to load those classes into the live JVM on the next restart cycle, yielding code execution in the remote application as described by the advisory: "this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application."

The fix converts the expected secret to a UTF-8 byte array at construction time and replaces String.equals with java.security.MessageDigest.isEqual, which is documented and implemented to run in constant time regardless of where the first mismatch occurs.

MessageDigest.isEqual(byte[], byte[]) iterates over the full length of the shorter array, XOR-accumulates each byte-pair difference into a single integer, and only compares that accumulator to zero at the end. The execution time no longer depends on the position of the first mismatch, closing the timing oracle. An explicit null-guard on providedSecret was added to preserve the previous behavior when the header is missing.

HttpHeaderAccessManager has existed in essentially this form since Spring Boot 1.3.0, which introduced the remote DevTools feature in June 2015 . The vulnerable expectedSecret.equals(providedSecret) line was present from that first commit and remained unchanged until the April 2026 patch, so every Spring Boot release from 1.3.0 through the ranges listed above that enables remote DevTools is affected.

Mitigation

Only recent versions of Spring Boot receive community support and updates. See Spring Boot’s project support page for the current OSS support policy. We recommend the following courses of action:

  1. Upgrade to a currently-supported Spring Boot release (3.5.14 or 4.0.6 or later) that contains the constant-time comparison fix.
  2. Adopt HeroDevs Never-Ending Support for Spring Boot to receive the backported HttpHeaderAccessManager fix on 1.5.x, 2.5.x, 2.7.x, 3.2.x, 3.3.x, and 3.4.x while planning a longer-term upgrade. See NES for Spring for details.

Credits

No external finder is credited in the upstream advisory as of April 24, 2026.

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2026-40974
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-40972
PROJECT Affected
Spring Boot
Versions Affected
>=1.3.0 <=2.7.32, >=3.3.0 <=3.3.18, >=3.4.0 <=3.4.15, >=3.5.0 <=3.5.13, >=4.0.0 <=4.0.5
NES Versions Affected
Published date
April 25, 2026
≈ Fix date
April 23, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.