Bug 2463330 (CVE-2026-40973) - CVE-2026-40973 Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
Summary: CVE-2026-40973 Spring Boot: Spring Boot: Arbitrary Code Execution and Session...
Keywords:
Status: NEW
Alias: CVE-2026-40973
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2467990 2467991
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-28 00:02 UTC by OSIDB Bzimport
Modified: 2026-05-08 10:48 UTC (History)
56 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-28 00:02:18 UTC 
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Note You need to log in before you can comment on or make changes to this bug.