VMware Tanzu Spring Boot: Attackers can access endpoints

Important security updates close several vulnerabilities in the VMware Tanzu Spring Framework component Spring Boot.

(Image: Tatiana Popova/Shutterstock.com)

Apr 27, 2026 at 11:29 am CEST

2 min. read

By

Dennis Schirrmacher

Attackers can exploit several vulnerabilities in VMware Tanzu Spring Boot, potentially leading to complete compromise of instances in the worst-case scenario. Security updates are available. Currently, there are no reports from the software manufacturer that attackers are already exploiting the vulnerabilities.

Unauthorized access possible

The developers assure that they have resolved the security issues in versions 3.5.14 and 4.0.6. They also point out that versions no longer under support are also vulnerable. In this case, administrators must upgrade to a supported version.

A total of nine vulnerabilities have been closed. As a warning message indicates, one (CVE-2026-40976) is classified as “critical.” Because authentication does not function reliably, attackers can access all endpoints.

However, for such an attack to succeed, several prerequisites listed in the warning message must be met. For example, it must be a Servlet-based web application. How such an attack could proceed in detail is currently unclear.

Further Dangers

Videos by heise

Furthermore, attackers can remotely execute malicious code (CVE-2026-40972 “high”) or cause instances to connect to malicious hosts (CVE-2026-40974 “medium”).

Admins can find more information about the closed software vulnerabilities and affected versions in the linked warning messages. List sorted by threat level in descending order: