CVE-2026-40970 — Improper Certificate Validation in Spring Boot

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

5.0MEDIUMNVD

EPSS

0.0%

top 97.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

5

Spring Boot Apache Log4j Devspaces Openvsx-rhel9 +2 more

Timeline

PublishedApr 27

Description

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages5 packages

▶CVEListV5spring/spring_boot4.0.0 — 4.0.6

▶Red Hatapache/log4j

▶Red Hatlog4j_2/log4j

▶Red Hatdevspaces/openvsx-rhel9

▶Red Hatdevspaces/pluginregistry-rhel9

🔴Vulnerability Details

1

VulDB

Vmware Spring Boot up to 4.0.5 Elasticsearch Auto-configuration certificate validation↗2026-04-27

▶

📋Vendor Advisories

1

Red Hat

Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure↗2026-04-27

▶

💬Community

1

Bugzilla

CVE-2026-40970 Spring Boot: Spring Boot: Missing hostname verification in Elasticsearch auto-configuration allows information disclosure↗2026-04-27

▶

CVE-2026-40970 — Improper Certificate Validation | cvebase