AIKIDO-2026-10661

spring-boot is vulnerable to Observable Timing Discrepancy

Observable Timing DiscrepancyCVE-2026-40972 Published Apr 30, 2026

High Risk

This Affects:

spring-boot

2.7.0 - 2.7.32

Fixed in 2.7.33

3.3.0 - 3.3.18

Fixed in 3.3.19

3.4.0 - 3.4.15

Fixed in 3.4.16

3.5.0 - 3.5.13

Fixed in 3.5.14

4.0.0 - 4.0.5

Fixed in 4.0.6

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to observable timing discrepancies during DevTools remote secret comparison, which may allow an attacker on the same network to infer the secret through repeated measurements. In extreme cases, successful secret recovery could allow unauthorized class uploads and remote code execution in the target application.

Who does this affect?

You are affected if using a vulnerable version.

Background info

spring-boot is vulnerable to Observable Timing Discrepancy in versions 2.7.0 - 2.7.32, 3.3.0 - 3.3.18, 3.4.0 - 3.4.15, 3.5.0 - 3.5.13 and 4.0.0 - 4.0.5.