CVE-2026-40992
5.0 MEDIUMSpring Boot's Mail auto-configuration does not enable hostname verification
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 5.0 MEDIUM
- Vector
- CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-295
Description
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-45170 — Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validati...
- CVE-2026-45175 — Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes
- CVE-2026-53475 — A flaw was found in assisted-migration-agent (9.3 CRITICAL)
- CVE-2026-9758 — Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered tru... (7.3 HIGH)
- CVE-2026-41714 — Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(... (4.0 MEDIUM)