Spring Boot 4 Session Hijack via ApplicationTemp TempDir
CVE-2026-40973 Published on April 27, 2026
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.
Vulnerability Analysis
CVE-2026-40973 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Insecure Temporary File
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Products Associated with CVE-2026-40973
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Boot:- Version 4.0.0 and below 4.0.6 is affected.
- Version 3.5.0 and below 3.5.14 is affected.
- Version 3.4.0 and below 3.4.16 is affected.
- Version 3.3.0 and below 3.3.19 is affected.
- Version 2.7.0 and below 2.7.33 is affected.