{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-27T23:15:19Z",
  "bugzilla" : {
    "description" : "Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison",
    "id" : "2463332",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463332"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-208",
  "details" : [ "A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to remote code execution in the remote application." ],
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17668",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18",
    "package" : "spring-boot"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat AMQ Clients",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:amq_clients:2023"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "log4j:2/log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/openvsx-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/pluginregistry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40972\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40972\nhttps://spring.io/security/cve-2026-40972" ],
  "name" : "CVE-2026-40972",
  "mitigation" : {
    "value" : "To mitigate this issue, disable the Spring Boot DevTools remote functionality in production environments. This feature is primarily intended for development and should not be enabled in publicly accessible deployments.\nTo disable remote DevTools, ensure the `spring.devtools.remote.secret` property is not configured, or explicitly set `spring.devtools.remote.enabled=false` in your application's `application.properties` or `application.yml` file.\nExample for `application.properties`:\n`spring.devtools.remote.enabled=false`\nDisabling this feature may impact development workflows that rely on remote DevTools capabilities. A restart of the application is required for the changes to take effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}