Medium severity5.0NVD Advisory· Published Apr 27, 2026· Updated May 14, 2026
CVE-2026-40970
CVE-2026-40970
Description
When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-boot-elasticsearchMaven | >= 4.0.0, < 4.0.6 | 4.0.6 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c96x-rpm4-349pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40970ghsaADVISORY
- spring.io/security/cve-2026-40970nvdVendor AdvisoryWEB
- github.com/spring-projects/spring-boot/releases/tag/v4.0.6ghsaWEB
News mentions
0No linked articles in our index yet.