Primary

Context

Spring Boot Elasticsearch Auto-Configuration Hostname Verification Vulnerability

Vulnerability

Patched

A vulnerability exists in Spring Boot's Elasticsearch auto-configuration when an SSL bundle is used. The issue arises because the configuration fails to verify hostnames while connecting to the Elasticsearch server. This vulnerability affects Spring Boot versions 4.0.0 through 4.0.5.

Impact

The lack of hostname verification can lead to man-in-the-middle attacks, where an attacker could intercept and potentially alter the communication between Spring Boot and the Elasticsearch server.

Remediation

Users should upgrade to Spring Boot version 4.0.6 or later.

Added: Apr 27, 2026, 7:33 PM

Updated: Apr 27, 2026, 7:33 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

6.8

remediation

7.7

relevance

6.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

6.8

remediation

7.7

relevance

6.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Boot Elasticsearch Auto-Configuration Hostname Verification Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Spring Boot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating