Primary

Context

Spring Boot Default Web Security Vulnerability Allowing Unauthorized Access

Vulnerability

Patched

A vulnerability exists in Spring Boot versions 4.0.0 through 4.0.5, where the default web security is ineffective, allowing unauthorized access to all endpoints. This issue arises in servlet-based web applications that lack their own Spring Security configuration and instead rely on the default web security filter chain. The vulnerability is present in applications that depend on spring-boot-actuator-autoconfigure but do not use spring-boot-health.

Impact

Exploitation of this vulnerability could lead to unauthorized access to all endpoints of the affected application.

Remediation

Users should upgrade to Spring Boot version 4.0.6 or later.

Added: Apr 28, 2026, 12:30 AM

Updated: Apr 28, 2026, 12:30 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.2

remediation

7.7

relevance

6.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.2

remediation

7.7

relevance

6.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Boot Default Web Security Vulnerability Allowing Unauthorized Access

Vulnerability

Impact

Remediation

Affected Products

Spring Boot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating