A security misconfiguration flaw in Spring Boot 4.0 — the latest major release of the most widely used Java application framework in enterprise environments — allows unauthenticated remote attackers to access the full suite of Spring Boot Actuator management endpoints when applications are configured in a common but specific way. CVE-2026-40976, rated CVSS 9.1, affects Spring Boot versions 4.0.0 through 4.0.5 and was patched in the 4.0.6 release published April 28, 2026.
The Vulnerability
Spring Boot’s Actuator module exposes management endpoints (/actuator/*) that provide health monitoring, metrics, heap dumps, environment variable listings, log level control, and configuration mappings for running applications. These endpoints are intended for internal monitoring use and should never be exposed unauthenticated to untrusted networks.
Spring Boot’s auto-configuration is designed to apply default security restrictions to Actuator endpoints when spring-boot-starter-security is on the classpath. However, CVE-2026-40976 exposes a flaw in how this default security is resolved in the 4.0 release series:
When an application includes spring-boot-actuator-autoconfigure but does not include the spring-boot-health dependency (a change in Spring Boot 4.0’s modular structure), the security auto-configuration’s endpoint-to-security-filter mapping fails to apply correctly. The result is that all Actuator endpoints bypass Spring Security’s filter chain entirely, becoming accessible without authentication regardless of any SecurityFilterChain beans defined in the application.
Critically, this failure mode is silent — no warning is logged, and the application starts normally. Developers who migrated from Spring Boot 3.x without explicitly specifying the spring-boot-health dependency (which was previously bundled by default) will encounter this behaviour without indication that security has failed to apply.
Exposed Endpoints and Their Impact
The unauthenticated exposure of Actuator endpoints creates several distinct attack vectors:
| Endpoint | Exposure |
|---|---|
/actuator/heapdump | Downloads a full JVM heap snapshot — contains in-memory secrets, credentials, session tokens, and application data |
/actuator/env | Lists all environment variables and Spring properties — database passwords, API keys, cloud credentials in plain text |
/actuator/loggers | Allows changing log levels at runtime — can enable DEBUG logging to capture sensitive data in logs |
/actuator/mappings | Reveals all application URL mappings — aids targeted exploitation of application-layer vulnerabilities |
/actuator/beans | Lists all Spring beans — reveals application structure and third-party integrations |
/actuator/shutdown | If enabled, terminates the application — denial of service |
The /actuator/heapdump endpoint is the most immediately dangerous. A heap dump from a running Java application reliably contains plaintext copies of recently used secrets, database connection strings, JWT signing keys, and OAuth client secrets — data that persists in heap until garbage collected.
Affected Configurations
The vulnerability specifically affects:
- Spring Boot 4.0.0–4.0.5
- Applications with
spring-boot-actuator-autoconfigureon the classpath - Applications that do not explicitly include
spring-boot-healthas a dependency - Applications relying on Spring Boot’s default security auto-configuration rather than explicitly securing endpoints
Applications that explicitly define a SecurityFilterChain bean that covers Actuator endpoints, or that use Spring Boot 3.x (which is not affected), are not vulnerable.
Remediation
Preferred: Upgrade to Spring Boot 4.0.6, which corrects the security filter chain resolution logic.
Temporary workaround (if immediate upgrade is not possible):
- Explicitly add
spring-boot-healthto yourpom.xmlorbuild.gradledependencies - Or explicitly secure Actuator endpoints in a
SecurityFilterChainbean:requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated()
Detection: Check whether your Spring Boot 4.0 application exposes Actuator endpoints unauthenticated:
curl -s http://localhost:8080/actuator | jq .If this returns endpoint listings without an authentication challenge, the application is vulnerable.
Deployment Scope
Spring Boot is the foundation of a significant proportion of enterprise Java microservices and REST API backends. Spring Boot 4.0 was released in late 2025 and has seen rapid adoption given its Java 21 LTS baseline requirement and virtual thread integration. Any organisation that has migrated services to Spring Boot 4.0 in the past six months without explicit security configuration of Actuator endpoints should treat this as an urgent patch priority, particularly for services deployed in environments where internal networks are not considered fully trusted (cloud-native, zero-trust, containerised microservices deployments).
Share this article