Medium

Spring Boot Mail auto-configuration hostname verification disabled

IdentifiersCVE-2026-40992CWE-297

CVE-2026-40992 is a medium-severity vulnerability in Spring Boot affecting Mail auto-configuration. In affected versions, Spring Boot's mail auto-configuration does not enable SSL/TLS hostname verification for JavaMail SMTP connections by default. As a result, when an application relies on the auto-configured mail client over TLS and does not explicitly set the JavaMail property for server identity checking, the client may fail to verify that the certificate presented by the SMTP server matches the intended hostname. Applications that explicitly set spring.mail.properties.mail.smtp.ssl.checkserveridentity=true are not affected. Reported affected versions are Spring Boot 4.0.0 through 4.0.6, 3.5.0 through 3.5.14, and 3.4.0 through 3.4.16; unsupported older versions are also stated to be affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker able to intercept, redirect, or impersonate the target SMTP server to bypass proper server identity validation during TLS-protected mail transport. This can enable man-in-the-middle interception of SMTP traffic, spoofing of the mail server endpoint, and compromise of the confidentiality and integrity of mail transmission. The advisory context indicates potential low confidentiality, integrity, and availability impact consistent with transport-layer interception or disruption rather than direct code execution.

Mitigation

If you can’t patch tonight, do this now.

Explicitly enable JavaMail SMTP server identity checking by setting the relevant property, for example spring.mail.properties.mail.smtp.ssl.checkserveridentity=true. Applications already setting this property are not affected. The vendor states no further mitigation beyond upgrading is necessary.

Remediation

Patch, then assume compromise.

Upgrade to a fixed Spring Boot release. Vendor-listed fixes include Spring Boot 4.0.7 for the 4.0.x line and 3.5.15 for the 3.5.x line in OSS channels; Enterprise Support-only fixes are listed as 4.0.6.1, 3.5.14.1, and 3.4.17. Unsupported versions should be upgraded to a supported fixed release. Ensure the mail configuration uses hostname verification after upgrade.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomSpring Bootapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

springNews

Jun 3, 2026

CVE-2026-40992: Mail Auto-Configuration Does Not Enable SSL Hostname Verification

A vulnerability in Spring Boot where Mail auto-configuration does not enable SSL hostname verification, potentially weakening mail transport security.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-40992

NVD

nvd.nist.gov/vuln/detail/CVE-2026-40992

MITRE CWE · CWE-297

cwe.mitre.org

spring.io

spring.io/security/cve-2026-40992