Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10584

spring-boot is vulnerable to Improper Certificate Validation

Improper Certificate ValidationCVE-2026-40974 Published Apr 27, 2026

60

Medium Risk

This Affects:

JAVAspring-boot
2.7.0 - 2.7.32
Fixed in 2.7.33
3.3.0 - 3.3.18
Fixed in 3.3.19
3.4.0 - 3.4.15
Fixed in 3.4.16
3.5.0 - 3.5.13
Fixed in 3.5.14
4.0.0 - 4.0.5
Fixed in 4.0.6
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to improper validation of certificate hostnames in Cassandra auto-configuration, causing TLS connections to trust certificates without verifying they match the intended Cassandra server hostname. This can enable machine-in-the-middle attacks against Cassandra traffic.

Who does this affect?

You are affected if using a vulnerable version and you are connecting to a Cassandra database.

Background info

spring-boot is vulnerable to Improper Certificate Validation in versions 2.7.0 - 2.7.32, 3.3.0 - 3.3.18, 3.4.0 - 3.4.15, 3.5.0 - 3.5.13 and 4.0.0 - 4.0.5.

How to fix this

Upgrade the org.springframework.boot:spring-boot library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done