View all Vulnerabilities

CVE-2026-40974

Incorrectly Configured Access Control
Affects
Spring Boot
in
Spring
No items found.
Versions
>=1.3.0 <=2.7.32, >=3.0.0 <=3.3.18, >=3.4.0 <=3.4.15, >=3.5.0 <=3.5.13, >=4.0.0 <=4.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Boot is a convention-over-configuration framework for building stand-alone, production-grade applications on the Spring platform. Its auto-configuration for Apache Cassandra wires up a CqlSession (DataStax Java driver 4, or Cluster on the driver 3 line used by pre-2.3 Boot) from spring.cassandra.* (or legacy spring.data.cassandra.*) properties, including an opt-in SSL mode that Spring Boot configures on behalf of the DataStax driver.

A medium-severity vulnerability (CVE-2026-40974) has been identified in that auto-configuration. When an application enables SSL to Cassandra, Spring Boot hands the driver an SSLContext or SslEngineFactory that does not request TLS hostname verification. The DataStax driver honors exactly what it is given, so the resulting SSLEngine never sets SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") and the client accepts any certificate that chains to a trusted CA, regardless of the hostname in the certificate. An attacker on an adjacent network who can intercept the TCP stream to the Cassandra cluster and present a valid-but-wrong certificate, can impersonate the cluster, read queries and result rows, and alter CQL traffic in flight.

Per OWASP: a manipulator-in-the-middle attack "allows a malicious actor to intercept, send and receive data to and from two parties communicating with each other but never letting them know that the 'middle man' exists." TLS is meant to block that attack class by binding each session to a specific server identity; skipping hostname verification leaves only the CA-chain check in place, which is not enough to stop an attacker who can obtain any certificate the client trusts.

The CVSS v3.1 base score for this vulnerability is 3.9 (advisory classifies it as Medium) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. Attack vector is adjacent network, attack complexity is high (the attacker needs both network position and a certificate the client trusts issued to a different host), no privileges or user interaction are required, and impact to confidentiality, integrity, and availability are each low.

Spring Boot's Cassandra auto-configuration has skipped hostname verification since Cassandra support was first added in Spring Boot 1.3 (December 2014). The DataStax driver 3 path (Cluster.Builder.withSSL()) and the DataStax driver 4 path (CqlSessionBuilder.withSslContext(SSLContext.getDefault()), and later the 2-argument ProgrammaticSslEngineFactory(SSLContext, String[]) constructor used when an SSL bundle is configured) all default to hostname verification disabled. This issue affects versions 1.3.0 through 2.7.32, 3.0.0 through 3.3.18, 3.4.0 through 3.4.15, 3.5.0 through 3.5.13, and 4.0.0 through 4.0.5 of Spring Boot.

Details

Module Info

Vulnerability Info

The vulnerability is in CassandraAutoConfiguration in the spring-boot-autoconfigure module. The class configures a CqlSession (or a Cluster on pre-2.3 Spring Boot) on behalf of the application and applies the application's SSL properties when SSL is enabled.

An application is vulnerable when all of the following are true:

  • The application uses Spring Boot's Cassandra auto-configuration (it does not define its own CqlSession/Cluster bean).
  • The application enables Cassandra SSL via spring.cassandra.ssl.enabled=true, spring.cassandra.ssl.bundle=<name>, the legacy spring.data.cassandra.ssl=true, or a connection-details bean that returns a non-null SslBundle.
  • The application does not supply a CqlSessionBuilderCustomizer, DriverConfigLoaderBuilderCustomizer, or ClusterBuilderCustomizer that installs a custom SslEngineFactory/SSLOptions with HTTPS endpoint identification enabled.

Prior to the fix, CassandraAutoConfiguration.configureSsl on Spring Boot 3.1 and later looked like this:

private void configureSsl(CqlSessionBuilder builder, CassandraConnectionDetails connectionDetails) {
    SslBundle sslBundle = connectionDetails.getSslBundle();
    if (sslBundle == null) {
        return;
    }
    SslOptions options = sslBundle.getOptions();
    Assert.state(options.getEnabledProtocols() == null, "SSL protocol options cannot be specified with Cassandra");
    builder
        .withSslEngineFactory(new ProgrammaticSslEngineFactory(sslBundle.createSslContext(), options.getCiphers()));
}

The 2-argument constructor ProgrammaticSslEngineFactory(SSLContext sslContext, String[] cipherSuites) is documented by DataStax as building a factory with "no host name validation." The factory creates an SSLEngine whose SSLParameters never have setEndpointIdentificationAlgorithm("HTTPS") called on them, so hostname verification never runs.

On Spring Boot 2.3 through 3.0 (and also on 3.1+ when no SSL bundle is configured), auto-configuration takes a different code path that calls:

builder.withSslContext(SSLContext.getDefault());

CqlSessionBuilder.withSslContext(SSLContext) is a convenience method in the DataStax driver 4 that, per the driver's own documentation, does not support customising cipher suites or enabling hostname validation; hostname validation is off.

On Spring Boot 1.3 through 2.2 (DataStax driver 3), the same code path reduces to:

if (properties.isSsl()) {
    builder.withSSL();
}

Cluster.Builder.withSSL() is a shortcut for withSSL(JdkSSLOptions.builder().build()). The resulting SSLOptions do not call setEndpointIdentificationAlgorithm("HTTPS"), so the driver 3 client also accepts certificates issued for any host.

In all three code paths, the certificate-chain check still runs (the client will reject a certificate chained to an untrusted CA), but the hostname check is skipped. An attacker who can obtain any certificate the client trusts (for example, a mis-issued certificate, a tenant-issued cert on a shared PKI, or a cert from a CA added to the application's trust store for unrelated reasons) can redirect Cassandra traffic through their own proxy via DNS, ARP, or routing manipulation and will not be detected by the TLS layer.

The caller passes this.properties.getSsl().isVerifyHostname(), and DataStax's 3-argument ProgrammaticSslEngineFactory(SSLContext, String[], boolean) constructor sets the HTTPS endpoint-identification algorithm on the engine when the flag is true. Applications that need to preserve the old behavior (for example, connecting by IP in a lab) can set spring.cassandra.ssl.verify-hostname=false explicitly, which reintroduces the weakness this CVE fixes and is not recommended.

Mitigation

Only recent versions of Spring Boot receive community support and updates. The 2.7.x, 3.3.x, and 3.4.x lines that this advisory lists as "Enterprise Support Only" do not have a publicly available fix for this vulnerability; neither do earlier end-of-life lines such as 1.3.x, 1.5.x, 2.0.x, 2.1.x, 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x, 3.0.x, 3.1.x, and 3.2.x.

Users of the affected components should apply one of the following mitigations:

  1. Upgrade to a currently supported OSS version of Spring Boot (3.5.14 or 4.0.6 or later).
  2. Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support NES for Spring Boot.

Credits

No external finder is credited in the upstream advisory as of April 24, 2026.

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2026-40974
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-40974
PROJECT Affected
Spring Boot
Versions Affected
>=1.3.0 <=2.7.32, >=3.0.0 <=3.3.18, >=3.4.0 <=3.4.15, >=3.5.0 <=3.5.13, >=4.0.0 <=4.0.5
NES Versions Affected
Published date
April 25, 2026
≈ Fix date
April 23, 2026
Fixed in
NES for Spring
Category
Incorrectly Configured Access Control
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.