CVE-2026-40974_CVE-2026-40974

5 / 10

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

Basic Information

ID CVE-2026-40974

Source vmware

Published Apr 27, 2026 at 23:31

Affected Product

Vendor Spring

Product Spring Boot

Version 4.0.0

Affected Versions Spring Spring Boot 4.0.0
Spring Spring Boot 3.5.0
Spring Spring Boot 3.4.0
Spring Spring Boot 3.3.0
Spring Spring Boot 2.7.0

CWE Classification

CWE-295

References

spring.io /security/cve-2026-40974

{
    "lastseen": "",
    "description": "Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.",
    "published": "2026-04-27T23:31:40.629Z",
    "modified": "2026-04-27T23:31:40.629Z",
    "type": "cve",
    "title": "CVE-2026-40974",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-40974",
    "id": "CVE-2026-40974",
    "bulletinFamily": "",
    "cwe": [
        "CWE-295"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Boot 4.0.0\nSpring Spring Boot 3.5.0\nSpring Spring Boot 3.4.0\nSpring Spring Boot 3.3.0\nSpring Spring Boot 2.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Boot",
    "version": "4.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}