1 article
CVE-2026-40976 in Spring Boot 4.0.0 through 4.0.5 allows unauthenticated network access to all Spring Boot Actuator management endpoints when applications rely on the default Spring Security auto-configuration but omit the spring-boot-health dependency. Exposed endpoints include heapdump, env, mappings, and loggers — enough to extract secrets and manipulate application behaviour. Upgrade to Spring Boot 4.0.6 or later.