CVE-2026-40974
critical
CVSS v3
9.8
CVSS v2
—
VIR risk
9.8
Description
Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification
Predictions
Exploit likelihood
87%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@vmware.com — https://spring.io/security/cve-2026-40974
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework.boot:spring-boot-cassandra | >=4.0.0,<4.0.6 | 4.0.6 |
| Maven | org.springframework.boot:spring-boot-cassandra | >=3.5.0,<3.5.14 | 3.5.14 |
| Maven | org.springframework.boot:spring-boot-cassandra | >=3.4.0,<=3.4.15 | |
| Maven | org.springframework.boot:spring-boot-cassandra | >=3.3.0,<=3.3.18 | |
| Maven | org.springframework.boot:spring-boot-cassandra | <=2.7.32 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | <= 2.7.32 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 3.3.0, <= 3.3.18 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 3.4.0, <= 3.4.15 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 3.5.0, < 3.5.14 | 3.5.14 |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 4.0.0, < 4.0.6 | 4.0.6 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vmware | spring_boot | {"startIncluding":"2.7.0","endExcluding":"2.7.33"} | 2.7.33 |
References
CWEs
CWE-295
Verify integrity in audit chain (admin only). AS-IS.