CVE-2026-40975
high
CVSS v3
7.5
CVSS v2
—
VIR risk
7.5
Description
Spring Boot's random value property source uses a weak PRNG unsuitable for secrets
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@vmware.com — https://spring.io/security/cve-2026-40975
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework.boot:spring-boot-cassandra | >=4.0.0,<4.0.6 | 4.0.6 |
| Maven | org.springframework.boot:spring-boot-cassandra | >=3.5.0,<3.5.14 | 3.5.14 |
| Maven | org.springframework.boot:spring-boot-cassandra | >=3.4.0,<=3.4.15 | |
| Maven | org.springframework.boot:spring-boot-cassandra | >=3.3.0,<=3.3.18 | |
| Maven | org.springframework.boot:spring-boot-cassandra | <=2.7.32 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | <= 2.7.32 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 3.3.0, <= 3.3.18 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 3.4.0, <= 3.4.15 | |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 3.5.0, < 3.5.14 | 3.5.14 |
| MAVEN | org.springframework.boot:spring-boot-cassandra | >= 4.0.0, < 4.0.6 | 4.0.6 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vmware | spring_boot | {"endExcluding":"2.7.33"} | 2.7.33 |
References
CWEs
CWE-330
Verify integrity in audit chain (admin only). AS-IS.