CVE-2026-40977

Published: Apr 28, 2026 Last Modified: Apr 30, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,7

Source: [email protected]

Attack Vector: local

Attack Complexity: high

Privileges Required: high

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: high

Description

AI Translation Available

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.

Improper Link Resolution Before File Access ('Link Following')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control Other

Potential Impacts:

Read Files Or Directories Modify Files Or Directories Bypass Protection Mechanism Execute Unauthorized Code Or Commands

Applicable Platforms

Operating Systems: Windows, Unix

Likelihood of Exploit: Medium

View CWE Details

Application

Spring Boot by Vmware

Product Information

Vendor Vmware

Product Spring Boot

Version Range Affected

From 4.0.0 (inclusive)

To 4.0.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Spring Boot by Vmware

Product Information

Vendor Vmware

Product Spring Boot

Version Range Affected

From 3.3.0 (inclusive)

To 3.3.19 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Spring Boot by Vmware

Product Information

Vendor Vmware

Product Spring Boot

Version Range Affected

To 2.7.33 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Spring Boot by Vmware

Product Information

Vendor Vmware

Product Spring Boot

Version Range Affected

From 3.4.0 (inclusive)

To 3.4.16 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Spring Boot by Vmware

Product Information

Vendor Vmware

Product Spring Boot

Version Range Affected

From 3.5.0 (inclusive)

To 3.5.14 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://spring.io/security/cve-2026-40977

CVE-2026-40977

Description

Improper Link Resolution Before File Access ('Link Following')

Common Consequences

Applicable Platforms

Spring Boot by Vmware

Product Information

Spring Boot by Vmware

Product Information

Spring Boot by Vmware

Product Information

Spring Boot by Vmware

Product Information

Spring Boot by Vmware

Product Information

Iscriviti alla newsletter