CVE-2026-40974

Description

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

Spring / Spring Boot4.0.0 – 4.0.6
Spring / Spring Boot3.5.0 – 3.5.14
Spring / Spring Boot3.4.0 – 3.4.16
Spring / Spring Boot3.3.0 – 3.3.19
Spring / Spring Boot2.7.0 – 2.7.33

References

MISChttps://spring.io/security/cve-2026-40974