What is CVE-2026-40977?

CVE-2026-40977 is a medium-severity vulnerability in Spring Boot, classified under Improper Link Resolution Before File Access. CVSS score: 4.7/10. Published 2026-04-28.

How severe is CVE-2026-40977?

Medium severity. CVSS v3 base score is 4.7 out of 10.

Vulnerability in Spring Boot

CVE-2026-40977

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 (f…

EPSS: 0.000 (5.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.7 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H.

Affected products

Spring Boot — versions 4.0.0, 3.5.0, 3.4.0
Vmware Spring_boot

Weakness classification (CWE)

CWE-59 — Improper Link Resolution Before File Access

References

security@vmware.com (Vendor Advisory)

Frequently asked questions

What is CVE-2026-40977?: CVE-2026-40977 is a medium-severity vulnerability in Spring Boot, classified under Improper Link Resolution Before File Access. CVSS score: 4.7/10. Published 2026-04-28.
How severe is CVE-2026-40977?: Medium severity. CVSS v3 base score is 4.7 out of 10.