What does Mythos mean for ASM? See here

Back
New CVE Detected

CVE-2026-40976 — Default security filter chain missing authorization rule for Actuator (Spring Boot)

## Summary

**CVE-2026-40976** is a critical security vulnerability in Spring Boot’s default security configuration. The issue occurs when the **Spring Actuator** is enabled but the **Health** endpoint (or certain management endpoint configurations) are not present; under these conditions the default security filter chain can be created without an authorization rule for Actuator endpoints. This can leave Actuator endpoints accessible without proper authentication or authorization.

### Affected software

– Spring Boot 4.x versions prior to the vendor fix (fixed in **Spring Boot 4.0.6**).
– Applications that enable Spring Actuator and rely on the default security configuration are at risk if they have the affected configuration (Actuator enabled but Health endpoint disabled or similarly unusual management endpoint settings).

### Technical details

– **Root cause:** When Actuator is present but the Health endpoint is not, the default security filter chain can be instantiated without registering the required authorization rule for Actuator endpoints.
– **Consequence:** Management/Actuator endpoints that are expected to be protected may be left unprotected, allowing unauthenticated remote access to operational endpoints (metrics, config endpoints, shutdown, etc.) depending on which Actuator endpoints are enabled.

### Severity and impact

– **Severity:** Critical (vendor advisory classifies this as CRITICAL).
– **Potential impact:** Unauthorized access to Actuator endpoints can lead to information disclosure (system metrics, configuration), operational disruption (exposed control endpoints), and increased attack surface for follow-on exploitation. The exact impact depends on which Actuator endpoints are enabled in a given application.

### Recommendations

– **Immediate action:** Upgrade Spring Boot to **4.0.6** or later where the issue is fixed.
– **Configuration hardening:** Until you can upgrade, restrict network access to management endpoints (firewall or network ACLs), explicitly configure security rules for Actuator endpoints, and avoid exposing Actuator to untrusted networks.
– **Verify:** Review applications that enabled Spring Actuator and confirm whether the Health endpoint or other management configuration could trigger the default filter-chain behavior; enforce explicit authorization rules for management endpoints in security configuration.

## IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References:

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report

IONIX customers have been notified of their exposures to this CVE/threat

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report
Close

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge