A critical security misconfiguration in Spring Boot 4.0.0–4.0.5 allows unauthenticated attackers to bypass security controls and access all application endpoints.

This is a security bypass vulnerability resulting from ineffective default web security. It affects servlet-based applications that lack custom Spring Security configurations and rely solely on default settings while using spring-boot-actuator-autoconfigure.

With a CVSS score of 9.1, this vulnerability poses a severe risk of unauthorized access to sensitive application data and management endpoints. It can lead to complete exposure of backend services and potential data breaches, depending on the information exposed by the application's endpoints.

Immediate Action: Upgrade to Spring Boot version 4.0.6 or later immediately.

Proactive Monitoring: Review application access logs for unusual requests to sensitive endpoints and audit existing security configurations.

Compensating Controls: Implement custom Spring Security filters to explicitly secure all endpoints until the application can be updated.

Public Exploit Available: No

Upgrade to the patched version of Spring Boot as soon as possible. Organizations should also review their application security posture to ensure that proper authentication and authorization controls are in place for all endpoints.