CVE-2026-40973 Overview
CVE-2026-40973 is a high-severity vulnerability affecting VMware Spring Boot that allows a local attacker on the same host as the application to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this vulnerability may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.
This vulnerability stems from insecure temporary file handling (CWE-377), where the application fails to properly verify ownership of the temporary directory, creating a race condition that attackers can exploit.
Critical Impact
Local attackers can hijack user sessions, read sensitive session data, or achieve arbitrary code execution by exploiting predictable temp directory paths and insufficient ownership verification in Spring Boot applications.
Affected Products
- VMware Spring Boot 4.0.0–4.0.5 (fix in version 4.0.6)
- VMware Spring Boot 3.5.0–3.5.13 (fix in version 3.5.14)
- VMware Spring Boot 3.4.0–3.4.15 (fix in version 3.4.16)
- VMware Spring Boot 3.3.0–3.3.18 (fix in version 3.3.19)
- VMware Spring Boot 2.7.0–2.7.32 (fix in version 2.7.33)
Discovery Timeline
- 2026-04-28 - CVE CVE-2026-40973 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-40973
Vulnerability Analysis
This vulnerability exploits a weakness in how Spring Boot handles temporary directories through the ApplicationTemp class. The core issue lies in the predictable nature of temporary directory paths combined with inadequate ownership verification when the application accesses these directories.
When server.servlet.session.persistent is enabled, Spring Boot stores session data in a temporary directory to maintain session state across application restarts. A local attacker with access to the same host can anticipate the temporary directory location and create or take control of it before the application does. This creates a Time-of-Check Time-of-Use (TOCTOU) race condition scenario.
The vulnerability has significant security implications. An attacker who successfully takes control of the ApplicationTemp directory can read serialized session objects, potentially extracting authentication tokens, session identifiers, and other sensitive user data. More critically, if the application deserializes objects from this directory, the attacker could plant malicious serialized objects containing gadget chains that execute arbitrary code when deserialized by the application.
Root Cause
The root cause is CWE-377: Insecure Temporary File handling. Spring Boot's ApplicationTemp implementation does not adequately verify the ownership and permissions of the temporary directory before use. The predictable naming convention for temporary directories allows local attackers to preemptively create directories with the expected names, establishing control before the legitimate application accesses them. This lack of proper validation enables symlink attacks, directory hijacking, and unauthorized access to session persistence data.
Attack Vector
The attack requires local access to the host running the Spring Boot application. The attacker must have sufficient permissions to create directories in the system's temporary file location (typically /tmp on Unix-like systems or %TEMP% on Windows).
The exploitation flow involves identifying the target Spring Boot application and determining its temporary directory naming pattern. The attacker then creates a directory matching the expected ApplicationTemp path before the application starts or restarts. Once the application runs and writes session data to this attacker-controlled directory, the attacker can read session files to extract credentials and tokens, or inject malicious serialized objects that will be deserialized by the application, leading to code execution under the application's user context.
The attack complexity is high because it requires local access and precise timing around application restarts, but the potential impact is severe, affecting confidentiality, integrity, and availability of the system.
Detection Methods for CVE-2026-40973
Indicators of Compromise
- Unexpected ownership or permissions changes on Spring Boot temporary directories
- Suspicious processes accessing or monitoring temporary file locations before application startup
- Anomalous session activity indicating potential session hijacking
- Serialized Java objects in temporary directories with unexpected modification times or ownership
Detection Strategies
- Monitor file system events for directory creation in common temporary locations that match Spring Boot naming patterns
- Implement audit logging for access to ApplicationTemp directories and session persistence files
- Use integrity monitoring tools to detect unauthorized modifications to temporary directories
- Review application logs for deserialization errors or unexpected class loading that may indicate gadget chain exploitation attempts
Monitoring Recommendations
- Configure SentinelOne agents to monitor process behavior around temporary file operations during application startup sequences
- Implement real-time alerting for permission changes on directories used by Spring Boot applications
- Establish baseline normal behavior for temporary directory access patterns to identify anomalous activity
- Enable Java deserialization monitoring to detect potential gadget chain exploitation attempts
How to Mitigate CVE-2026-40973
Immediate Actions Required
- Upgrade to patched Spring Boot versions: 4.0.6, 3.5.14, 3.4.16, 3.3.19, or 2.7.33 immediately
- Review all Spring Boot applications to identify those with server.servlet.session.persistent=true configured
- Audit current temporary directory permissions and ownership for running Spring Boot applications
- Consider disabling session persistence temporarily until patches can be applied
Patch Information
VMware has released security patches addressing the ApplicationTemp ownership verification vulnerability. Organizations should upgrade to the following fixed versions based on their current Spring Boot branch:
| Current Version Range | Fixed Version |
|---|---|
| 4.0.0–4.0.5 | 4.0.6 |
| 3.5.0–3.5.13 | 3.5.14 |
| 3.4.0–3.4.15 | 3.4.16 |
| 3.3.0–3.3.18 | 3.3.19 |
| 2.7.0–2.7.32 | 2.7.33 |
For detailed patch information and upgrade guidance, refer to the Spring Security Advisory.
Workarounds
- Disable session persistence by setting server.servlet.session.persistent=false in application properties
- Configure a dedicated secure directory for ApplicationTemp with restrictive permissions (e.g., mode 0700)
- Use container isolation to limit local attacker access to the application's file system namespace
- Implement additional access controls on the host system to restrict which users can create directories in temporary locations
# Configuration example - Secure temporary directory configuration
# Set a dedicated temp directory with restricted permissions
mkdir -p /opt/spring-app/secure-temp
chmod 0700 /opt/spring-app/secure-temp
chown appuser:appgroup /opt/spring-app/secure-temp
# Configure Spring Boot to use the secure directory
# Add to application.properties or environment variable:
# spring.application.temp=/opt/spring-app/secure-temp
# Or disable session persistence entirely:
# server.servlet.session.persistent=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
