CVE-2026-40992 MEDIUM

CVE-2026-40992: Mail Auto-Configuration Does Not Enable SSL Hostname Verification

Vendor Spring
Product Spring Boot
Weakness CWE-295
Published June 11, 2026
Last update June 11, 2026

CVSS base score

5.0/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated