Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for Elasticsearch, Cassandra, and RabbitMQ that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as CVE-2026-40970, CVE-2026-40974, and CVE-2026-40971, respectively, and could weaken certificate validation for connections to those backend services.
A fourth advisory, CVE-2026-40972, affects Spring DevTools and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Spring discloses CVE-2026-40974 in Cassandra SSL auto-configuration
Spring published an advisory for CVE-2026-40974, stating that Cassandra SSL auto-configuration disables TLS hostname verification.
Spring discloses CVE-2026-40972 affecting DevTools secret comparison
Spring published an advisory for CVE-2026-40972, reporting that DevTools remote secret comparison is vulnerable to timing attacks.
Spring discloses CVE-2026-40971 in RabbitMQ SSL auto-configuration
Spring published an advisory for CVE-2026-40971, stating that RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification.
Spring discloses CVE-2026-40970 in Elasticsearch SSL auto-configuration
Spring published an advisory for CVE-2026-40970, stating that Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40970: Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification
spring.io
Open sourceCVE-2026-40974: Cassandra SSL auto-configuration disables TLS hostname verification
spring.io
Open sourceCVE-2026-40971: RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification
spring.io
Open sourceCVE-2026-40972: DevTools remote secret comparison is vulnerable to timing attacks
spring.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spring Cloud Config and Spring AI Flaws Expose Systems to RCE and SSRF
The Canadian Centre for Cyber Security issued advisory **AV26-288** warning that multiple vulnerabilities disclosed by Spring affect **Spring Cloud Config** and **Spring AI**, including **server-side request forgery (SSRF)**, unintended file access, query injection, and a **SpEL injection** that can lead to **remote code execution (RCE)**. The notice says the issues were disclosed by Spring between March 23 and 26 and urged organizations to review the vendor advisories and assess exposure in affected deployments. Affected versions include **Spring Cloud Config** releases prior to **3.1.3**, **4.1.9**, **4.2.6**, **4.3.2**, and **5.0.2**, along with **Spring AI** versions prior to **1.0.5** and **1.1.4**. The Cyber Centre advised administrators and users to apply the relevant updates to reduce the risk of exploitation against exposed services and vulnerable application environments.
May 25, 2026
Spring patches LDAP auth bypass and multiple DoS flaws across Framework and Data
Spring disclosed a broad set of vulnerabilities across **Spring Framework**, **Spring Data Commons**, and **Spring LDAP**, including a high-severity authentication bypass tracked as `CVE-2026-41720`. The LDAP flaw allows login with a valid username and an empty or null password when the backing LDAP server permits unauthenticated binds, affecting authentication flows that use `AbstractContextSource`, `LdapTemplate`, or `LdapClient`. Spring also fixed a low-severity WebFlux session fixation issue (`CVE-2026-41839`) tied to compromised subdomains, and an information disclosure bug (`CVE-2026-41841`) in Spring MVC and WebFlux where shared static-resource caches could expose protected files if a public resource with the same name had already been cached. Several denial-of-service issues were patched at the same time. In Spring Framework, `CVE-2026-41840` can leak memory through malicious multipart requests in WebFlux, while `CVE-2026-41842` can tie up HTTP connections through slow resolution of versioned file-system resources in Spring MVC or WebFlux. In Spring Data Commons, `CVE-2026-41695`, `CVE-2026-41711`, `CVE-2026-41716`, and `CVE-2026-41721` can be triggered by attacker-controlled property paths, sort parameters, property names, or `@ProjectedPayload` data binding, leading to stack overflows, heap exhaustion, or excessive memory allocation when applications expose those inputs to untrusted users. Spring urged customers to upgrade to fixed releases, including Framework `7.0.8`, `6.2.19`, and `6.1.28`, Data Commons `4.0.6` and `3.5.12`, and LDAP `2.4.5`, `3.2.18`, `3.3.8`, or `4.0.4`, with some older branches receiving fixes only through commercial support.
Jun 11, 2026
Spring discloses deserialization flaws in Kafka header mappers and JMS converters
Spring disclosed two high-severity unsafe deserialization vulnerabilities affecting widely used messaging components: `CVE-2026-41731` in **Spring for Apache Kafka** and `CVE-2026-41855` in the **Spring Framework**. The Kafka issue stems from overly broad trusted-package matching in `JsonKafkaHeaderMapper` and the deprecated `DefaultKafkaHeaderMapper`, where prefix-based checks caused trust in a package to extend to all subpackages. Spring said a malicious producer could abuse crafted Kafka header values together with Jackson's default bean deserialization to make consumers instantiate arbitrary JDK classes, and assigned the flaw `CWE-502` with a `CVSS:3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The related Spring Framework flaw affects Jackson-based JMS message converters in untrusted JMS environments, where deserialization of gadget classes can enable arbitrary class instantiation and unauthorized actions. Affected Kafka versions include `4.0.0`-`4.0.5`, `3.3.0`-`3.3.15`, `3.2.0`-`3.2.13`, `2.9.0`-`2.9.13`, and `2.8.0`-`2.8.11`, while Spring recommended upgrading Kafka deployments to fixed releases such as `4.0.6` and `3.3.16`, with commercial fixes for other branches. The JMS converter issue impacts Spring Framework `7.0.0`-`7.0.7`, `6.2.0`-`6.2.18`, `6.1.0`-`6.1.27`, and `5.3.0`-`5.3.48`, extending the exposure across multiple supported and legacy release lines.
Jun 10, 2026