CVE-2026-40972: Spring Boot DevTools Timing Attack Exposes Secrets, RCE Risk

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-208
CVE-2026-40972: Spring Boot DevTools Timing Attack Exposes Secrets, RCE Risk

The National Vulnerability Database warns of CVE-2026-40972, a critical timing attack vulnerability affecting Spring Boot DevTools. An attacker on the same network as a vulnerable application can exploit this flaw to discern information about remote secrets. In severe scenarios, this can lead to the full compromise of the secret, enabling the attacker to upload altered classes and achieve remote code execution (RCE) within the application.

This vulnerability impacts multiple Spring Boot versions: 4.0.0 through 4.0.5 (fixed in 4.0.6), 3.5.0 through 3.5.13 (fixed in 3.5.14), 3.4.0 through 3.4.15 (fixed in 3.4.16), 3.3.0 through 3.3.18 (fixed in 3.3.19), and 2.7.0 through 2.7.32 (fixed in 2.7.33). The National Vulnerability Database further notes that unsupported versions are also affected, emphasizing the broad reach of this issue. With a CVSS score of 7.5 (HIGH), this is not a theoretical threat; it’s a direct path to RCE.

The core issue lies in the DevTools remote secret comparison mechanism (CWE-208). Attackers leverage subtle timing differences in how the application responds to secret validation attempts. This isn’t a complex exploit; it’s a classic side-channel attack that, when successful, provides the keys to the kingdom. Defenders need to recognize that ‘same network’ doesn’t mean ‘safe network’ – lateral movement is a given in most real-world breaches.

What This Means For You

  • If your organization uses Spring Boot applications, especially with DevTools enabled in production or staging environments, you need to act immediately. This timing attack gives a network attacker RCE. Identify all instances running affected Spring Boot versions, prioritize patching to the specified fixed versions, or disable DevTools remote secret comparison if patching isn't feasible right now. Do not underestimate 'same network' access; it's often an internal attacker or a compromised device.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1574.002 DLL Side-Loading Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Spring Boot DevTools Remote Secret Timing Attack - Free Tier

Sigma YAML — free preview 
title: Spring Boot DevTools Remote Secret Timing Attack - Free Tier
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
  Detects requests to specific Spring Boot DevTools endpoints that are vulnerable to timing attacks. Attackers can leverage these endpoints to infer the remote secret, potentially leading to RCE. This rule targets the initial access vector described in CVE-2026-40972.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40972/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/devtools/debug/threaddump/'
      cs-uri|contains:
          - '/devtools/debug/heapdump/'
      cs-uri|contains:
          - '/devtools/debug/env/'
      cs-uri|contains:
          - '/devtools/debug/restart/'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40972 Information Disclosure Timing attack to discover remote secret
CVE-2026-40972 RCE Uploading changed classes via determined secret
CVE-2026-40972 Misconfiguration Spring Boot DevTools remote secret comparison
CVE-2026-40972 Affected Software Spring Boot versions 4.0.0-4.0.5 (fix 4.0.6)
CVE-2026-40972 Affected Software Spring Boot versions 3.5.0-3.5.13 (fix 3.5.14)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7218: Totolink N300RT Buffer Overflow Exploited Remotely

CVE-2026-7218 — A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so....

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 5 Sigma

CVE-2026-7217 — Deepractice PromptX Path Traversal

CVE-2026-7217 — A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts...

vulnerabilityCVEmedium-severitypath-traversalcwe-22cwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal

CVE-2026-7216 — A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma