CVE-2026-40992

Vulnerability

Spring Boot's Mail auto-configuration does not enable SSL hostname verification by default. This affects versions 4.0.0 through 4.0.6, 3.5.0 through 3.5.14, and 3.4.0 through 3.4.16. Applications that explicitly set spring.mail.properties.mail.smtp.ssl.checkserveridentity=true are not vulnerable. [1]

Exploitation

An attacker with network access to the SMTP connection can perform a man-in-the-middle attack by presenting a rogue certificate. Because hostname verification is disabled, the client will accept the certificate without validating that it matches the expected server hostname. No authentication or user interaction is required. [1]

Impact

Successful exploitation allows the attacker to intercept, read, and modify email traffic. This can lead to disclosure of sensitive information (e.g., credentials, business data) and potential integrity compromise of email content. The CVSS v3 base score is 5.0 (Medium). [1]

Mitigation

Users should upgrade to the fixed versions: 4.0.7 (OSS), 4.0.6.1 (Enterprise Support), 3.5.15 (OSS), 3.5.14.1 (Enterprise Support), or 3.4.17 (Enterprise Support). Alternatively, setting the property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true provides a workaround. No other mitigation steps are necessary. [1]