Spring Boot CVE-2026-40973: Local Attacker Can Hijack Sessions, Execute Code

/HIGH /CVSS 7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-377
Spring Boot CVE-2026-40973: Local Attacker Can Hijack Sessions, Execute Code

The National Vulnerability Database (NVD) has detailed CVE-2026-40973, a high-severity vulnerability (CVSS 7.0) affecting multiple versions of Spring Boot. This flaw, categorized as CWE-377, allows a local attacker on the same host to manipulate the ApplicationTemp directory. If server.servlet.session.persistent is set to true, and the attacker maintains persistence across application restarts, this vulnerability becomes critical.

An attacker could exploit this by taking control of the temporary directory, potentially reading session information and hijacking authenticated user sessions. Worse, it creates an avenue for deploying a gadget chain, leading to arbitrary code execution under the application’s user privileges. This is a severe local privilege escalation and remote code execution vector if combined with other vulnerabilities.

Affected versions span Spring Boot 4.0.0 through 4.0.5 (fixed in 4.0.6), 3.5.0 through 3.5.13 (fixed in 3.5.14), 3.4.0 through 3.4.15 (fixed in 3.4.16), 3.3.0 through 3.3.18 (fixed in 3.3.19), and 2.7.0 through 2.7.32 (fixed in 2.7.33). Even unsupported versions are impacted, according to vendor advisories. The core issue lies in predictable temporary directory paths and insufficient ownership verification for ApplicationTemp.

What This Means For You

  • If your organization uses Spring Boot, immediately identify all instances running affected versions. Prioritize patching to the specified fixed versions. This isn't just a minor local issue; persistent access to the temporary directory, especially with session persistence enabled, opens the door to full system compromise and user session hijacking. Don't wait; this is a direct path to code execution and data exfiltration.

Related ATT&CK Techniques

T1574.002 Hijack Execution Flow: DLL Side-Loading Privilege Escalation T1059.001 Command and Scripting Interpreter: PowerShell Execution T1204.002 User Execution: Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1574.002 Persistence

CVE-2026-40973: Spring Boot Local Temp Directory Takeover

Sigma YAML — free preview 
title: CVE-2026-40973: Spring Boot Local Temp Directory Takeover
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
  Detects attempts to manipulate or delete the Spring Boot temporary directory ('/tmp/spring-content') which is targeted by CVE-2026-40973. This manipulation can lead to session hijacking or code execution by a local attacker when server.servlet.session.persistent is true.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40973/
tags:
  - attack.persistence
  - attack.t1574.002
logsource:
    category: file_event
detection:
  selection:
      TargetObject|startswith:
          - '/tmp/spring-content'
      action:
          - 'delete'
          - 'rename'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40973 Privilege Escalation Spring Boot versions 4.0.0-4.0.5, 3.5.0-3.5.13, 3.4.0-3.4.15, 3.3.0-3.3.18, 2.7.0-2.7.32
CVE-2026-40973 Information Disclosure Predictable temporary directory used by `ApplicationTemp` when `server.servlet.session.persistent` is true
CVE-2026-40973 RCE Gadget chain execution via `ApplicationTemp` directory control
CVE-2026-40973 Auth Bypass Session hijacking via `ApplicationTemp` directory control

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7218: Totolink N300RT Buffer Overflow Exploited Remotely

CVE-2026-7218 — A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so....

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 5 Sigma

CVE-2026-7217 — Deepractice PromptX Path Traversal

CVE-2026-7217 — A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts...

vulnerabilityCVEmedium-severitypath-traversalcwe-22cwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal

CVE-2026-7216 — A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma