CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-40970

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 8.8%

CVSS Severity

CVSS v3 Score 5.0

References

https://spring.io/security/cve-2026-40970

Products affected by CVE-2026-40970

Vmware » Spring Boot » Version: 4.0.0

cpe:2.3:a:vmware:spring_boot:4.0.0
Vmware » Spring Boot » Version: 4.0.1

cpe:2.3:a:vmware:spring_boot:4.0.1
Vmware » Spring Boot » Version: 4.0.2

cpe:2.3:a:vmware:spring_boot:4.0.2
Vmware » Spring Boot » Version: 4.0.3

cpe:2.3:a:vmware:spring_boot:4.0.3
Vmware » Spring Boot » Version: 4.0.4

cpe:2.3:a:vmware:spring_boot:4.0.4
Vmware » Spring Boot » Version: 4.0.5

cpe:2.3:a:vmware:spring_boot:4.0.5

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-40970

Products

Pricing

Contact Us