CVE-2026-40992: Spring Boot Information Disclosure Flaw

CVE-2026-40992 Overview

CVE-2026-40992 affects Spring Boot's Mail auto-configuration, which fails to enable Transport Layer Security (TLS) hostname verification by default. Applications relying on the default auto-configured JavaMailSender accept SMTP server certificates without validating that the certificate's hostname matches the server being contacted. This weakness maps to [CWE-295] Improper Certificate Validation. Attackers positioned on an adjacent network path can intercept SMTP over TLS sessions and present a certificate issued for a different host. Applications that explicitly set spring.mail.properties.mail.smtp.ssl.checkserveridentity=true are not affected.

Critical Impact

Adjacent-network attackers can perform man-in-the-middle interception of outbound SMTP traffic, exposing mail content and credentials transmitted by Spring Boot applications using default Mail auto-configuration.

Affected Products

• Spring Boot 4.0.0 through 4.0.6
• Spring Boot 3.5.0 through 3.5.14
• Spring Boot 3.4.0 through 3.4.16

Discovery Timeline

• 2026-06-11 - CVE-2026-40992 published to the National Vulnerability Database (NVD)
• 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-40992

Vulnerability Analysis

Spring Boot auto-configures a JavaMailSender bean when spring.mail.* properties are present. The auto-configuration negotiates TLS for SMTPS or STARTTLS sessions but does not set the JavaMail property mail.smtp.ssl.checkserveridentity to true. Without this flag, the underlying JavaMail client validates the certificate chain but skips hostname verification. An attacker who can intercept traffic between the application and the SMTP server can present any certificate trusted by the client's truststore for any hostname.

The impact is bounded by the attacker's network position and the contents of outbound mail. Confidentiality, integrity, and availability impacts are each rated low because exploitation requires an adjacent network position and high attack complexity. Compromised sessions can leak message bodies, recipient lists, and SMTP authentication credentials when plaintext or basic authentication is used.

Root Cause

The defect lies in the Spring Boot Mail auto-configuration logic, which does not propagate a secure default for mail.smtp.ssl.checkserveridentity (or the equivalent mail.smtps.ssl.checkserveridentity). JavaMail's default behavior disables hostname verification unless this property is explicitly enabled. The auto-configured sender therefore inherits an insecure TLS posture even when SMTPS or STARTTLS is in use.

Attack Vector

Exploitation requires the attacker to occupy an adjacent network position between the Spring Boot application and the configured SMTP server. The attacker redirects SMTP traffic, completes the TLS handshake with a certificate that is trusted by the JVM truststore but issued for a different hostname, and then proxies or modifies messages. Credentials sent during SMTP AUTH LOGIN or AUTH PLAIN exchanges become recoverable. The vulnerability does not enable remote code execution or unauthenticated access to the application itself.

No verified public exploit code is available. The vulnerability mechanism is described in the Spring Security Advisory CVE-2026-40992.

Detection Methods for CVE-2026-40992

Indicators of Compromise

• Unexpected TLS certificates presented by SMTP relays, particularly certificates with subject names that do not match the configured spring.mail.host value.
• SMTP sessions terminating at IP addresses outside the documented mail infrastructure range.
• Authentication failures or credential reuse alerts for SMTP service accounts used by Spring Boot applications.

Detection Strategies

• Inventory Spring Boot applications and identify those that depend on spring-boot-starter-mail at versions 3.4.0–3.4.16, 3.5.0–3.5.14, or 4.0.0–4.0.6.
• Inspect application configuration for the presence of spring.mail.properties.mail.smtp.ssl.checkserveridentity or mail.smtps.ssl.checkserveridentity; absence indicates exposure.
• Use TLS inspection on egress traffic to flag SMTP sessions where the server certificate's Subject Alternative Name does not match the destination hostname.

Monitoring Recommendations

• Log outbound SMTP destinations and certificate fingerprints from application hosts and alert on deviations.
• Monitor authentication logs on SMTP relays for logins originating from unexpected source IPs.
• Track Spring Boot dependency versions through Software Bill of Materials (SBOM) tooling and flag affected ranges.

How to Mitigate CVE-2026-40992

Immediate Actions Required

• Set spring.mail.properties.mail.smtp.ssl.checkserveridentity=true (and mail.smtps.ssl.checkserveridentity=true where SMTPS is used) in all affected applications as an immediate compensating control.
• Rotate SMTP service account credentials that may have been exposed over sessions lacking hostname verification.
• Restrict outbound SMTP egress to known relay IP addresses at the network boundary.

Patch Information

Upgrade to a fixed Spring Boot release as published in the Spring Security Advisory CVE-2026-40992. Affected branches are 3.4.0 through 3.4.16, 3.5.0 through 3.5.14, and 4.0.0 through 4.0.6. Apply the corresponding patch release on each branch and redeploy applications that bundle the framework.

Workarounds

• Explicitly enable hostname verification through JavaMail properties as shown below until the patched version can be deployed.
• Pin outbound SMTP connections to a trusted internal relay reachable only over a private network segment.
• Configure mutual TLS (mTLS) between the application and SMTP relay where supported.

# application.properties - enable JavaMail hostname verification
spring.mail.properties.mail.smtp.ssl.checkserveridentity=true
spring.mail.properties.mail.smtps.ssl.checkserveridentity=true
spring.mail.properties.mail.smtp.starttls.enable=true
spring.mail.properties.mail.smtp.starttls.required=true