{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40975", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:19:04.616Z", "datePublished": "2026-04-27T23:32:58.596Z", "dateUpdated": "2026-04-28T14:35:05.760Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:32:58.596Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-330: Use of Insufficiently Random Values", "type": "CWE", "cweId": "CWE-330"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality LOW; Integrity LOW; Availability NONE."}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Values produced by <code>${random.value}</code> are not suitable for use as secrets. <code>${random.uuid}</code> is not affected. <code>${random.int}</code> and <code>${random.long}</code> should never be used for secrets as they are numeric values with a predictable range.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40975"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:51:27.326869Z", "id": "CVE-2026-40975", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:35:05.760Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Confidentiality LOW; Integrity LOW; Availability NONE."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThan": "3.5.14", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.16", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThan": "3.3.19", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThan": "2.7.33", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-40975"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.", "supportingMedia": [{"type": "text/html", "value": "<p>Values produced by <code>${random.value}</code> are not suitable for use as secrets. <code>${random.uuid}</code> is not affected. <code>${random.int}</code> and <code>${random.long}</code> should never be used for secrets as they are numeric values with a predictable range.</p><p>Affected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-330", "description": "CWE-330: Use of Insufficiently Random Values"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-27T23:32:58.596Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:51:27.326869Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-28T13:51:35.949Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40975", "state": "PUBLISHED", "dateUpdated": "2026-04-27T23:32:58.596Z", "dateReserved": "2026-04-16T02:19:04.616Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-27T23:32:58.596Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B1C9BD7-7555-4B3D-AED9-60C3C13DCF46", "versionEndExcluding": "2.7.33", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "28EE6470-24FD-49D1-A2F0-7A19B290A161", "versionEndExcluding": "3.3.19", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "758A9E8F-0C52-43D9-8D84-69622B345A4E", "versionEndExcluding": "3.4.16", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "D23096A1-8269-46C5-9215-9098E87D0A24", "versionEndExcluding": "3.5.14", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "12A166C5-8B55-4BA3-AA8B-6024A257D441", "versionEndExcluding": "4.0.6", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.\n\nAffected: Spring Boot 4.0.0\u20134.0.5 (fix 4.0.6), 3.5.0\u20133.5.13 (fix 3.5.14), 3.4.0\u20133.4.15 (fix 3.4.16), 3.3.0\u20133.3.18 (fix 3.3.19), 2.7.0\u20132.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory."}], "id": "CVE-2026-40975", "lastModified": "2026-04-30T13:57:15.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security@vmware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-28T00:16:24.657", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-40975"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.0,2.7.33)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring Boot", "source": "cna", "vendor": "Spring"}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-28T19:36:45.500469+00:00", "value": {"mitigation_remediation": ["Upgrade to a fixed Spring Boot release: 4.0.6 or later, 3.5.14 or later, 3.4.16 or later, 3.3.19 or later, or 2.7.33 or later.", "Replace any usage of ${random.int} or ${random.long} for secret generation with a cryptographically secure source such as java.security.SecureRandom or UUID.", "If upgrade is not immediately possible, disable the Random Value Property Source for secret generation or ensure it is not exposed to untrusted input, and use a secure generator for critical secrets."], "summary": {"action": "Apply Patch", "impact": "Weak random secret generation can lead to compromise of sensitive credentials"}, "threat_synthesis": {"affected_systems": "Spring Boot releases 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32 are affected. The flaw is fixed in 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33 respectively. Any application that relies on the Random Value Property Source to generate secrets should be treated as vulnerable unless it has been upgraded or the source replaced with a secure generator.", "description_and_impact": "The vulnerability arises from the Random Value Property Source in Spring Boot, which uses weak pseudo\u2011random number generators to produce values labeled as secrets. Generators such as ${random.int} and ${random.long} produce predictable numeric outputs within a limited range, making them unsuitable for cryptographic keys, passwords, or other secrets that must remain confidential. This weakness is classified as CWE\u2011330: Use of Cryptographically Weak or Predictable Pseudorandom Number Generator.", "risk_and_exploitability": "The CVSS base score of 4.8 indicates moderate severity, and the EPSS score is not available. The vulnerability is not present in CISA\u2019s KEV catalog, implying no confirmed public exploitation. The attack vector, while not explicitly documented, is likely to be local or network based on configuration access. An attacker who can influence or observe the application\u2019s configuration or logging streams may predict or discover the generated secret values due to the predictability of the weak PRNG. Consequently, the risk remains significant enough to warrant prompt mitigation."}}}}, "created": "2026-04-28T02:00:14.708302+00:00", "title": "Weak Random Number Generator Used for Secrets in Spring Boot", "updated": "2026-04-28T19:45:07.591249+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}