Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-27T23:15:19 Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CWE-208

A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to remote code execution in the remote application.

To mitigate this issue, disable the Spring Boot DevTools remote functionality in production environments. This feature is primarily intended for development and should not be enabled in publicly accessible deployments. To disable remote DevTools, ensure the `spring.devtools.remote.secret` property is not configured, or explicitly set `spring.devtools.remote.enabled=false` in your application's `application.properties` or `application.yml` file. Example for `application.properties`: `spring.devtools.remote.enabled=false` Disabling this feature may impact development workflows that rely on remote DevTools capabilities. A restart of the application is required for the changes to take effect. Red Hat AMQ Broker 7 Not affected spring-boot Red Hat AMQ Clients Not affected spring-boot Red Hat build of Apache Camel for Spring Boot 4 Affected spring-boot Red Hat build of Apache Camel - HawtIO 4 Affected spring-boot Red Hat build of OptaPlanner 8 Affected spring-boot Red Hat Data Grid 8 Not affected spring-boot Red Hat Enterprise Linux 8 Not affected log4j:2/log4j Red Hat Enterprise Linux 9 Not affected log4j Red Hat Fuse 7 Affected spring-boot Red Hat JBoss Enterprise Application Platform 7 Not affected spring-boot Red Hat JBoss Enterprise Application Platform 8 Not affected spring-boot Red Hat JBoss Enterprise Application Platform Expansion Pack Not affected spring-boot Red Hat OpenShift Dev Spaces Affected devspaces/openvsx-rhel9 Red Hat OpenShift Dev Spaces Affected devspaces/pluginregistry-rhel9 Red Hat Process Automation 7 Affected spring-boot Red Hat Single Sign-On 7 Affected spring-boot https://www.cve.org/CVERecord?id=CVE-2026-40972 https://nvd.nist.gov/vuln/detail/CVE-2026-40972 https://spring.io/security/cve-2026-40972