{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-27T23:29:51Z",
  "bugzilla" : {
    "description" : "Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory",
    "id" : "2463330",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463330"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-341",
  "details" : [ "A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.\nAffected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.", "A flaw was found in Spring Boot. A local attacker on the same host as the application may be able to take control of the `ApplicationTemp` directory due to predictable temporary directory handling. When the `server.servlet.session.persistent` setting is enabled and the attack persists across application restarts, this could allow the attacker to read session information, hijack authenticated user sessions, or execute arbitrary code as the application's user." ],
  "affected_release" : [ {
    "product_name" : "HawtIO HawtIO 4.4.0",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25089",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4.4::el9",
    "package" : "spring-boot"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17668",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18",
    "package" : "spring-boot"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21772",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/openvsx-rhel9:1779528224"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21772",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/pluginregistry-rhel9:1779359423"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat AMQ Clients",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:amq_clients:2023"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "log4j:2/log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40973\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40973\nhttps://spring.io/security/cve-2026-40973" ],
  "name" : "CVE-2026-40973",
  "mitigation" : {
    "value" : "To mitigate this issue, ensure that the `server.servlet.session.persistent` property is set to `false` in your Spring Boot application's configuration. This prevents session information from being written to the predictable temporary directory, thereby removing the conditions necessary for exploitation. Disabling persistent sessions may affect application behavior that relies on session data surviving restarts.",
    "lang" : "en:us"
  },
  "csaw" : false
}