Fluid Attacks Database

Description

Spring Boot's PID file write follows symlinks at predictable default path When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.

Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); PID file / symlink behavior (ApplicationPidFileWriter). Versions that are no longer supported are also affected per vendor advisory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel8	log4j	-	-
rpm rhel9	log4j	-	-
maven	org.springframework.boot:spring-boot-cassandra	>=4.0.0 <4.0.6 \|\| >=3.5.0 <3.5.14 \|\| >=3.4.0 <=3.4.15 \|\| >=3.3.0 <=3.3.18 \|\| >=0 <=2.7.32	4.0.6, 3.5.14

Aliases

1. CVE-2026-409772. NVD-2026-409773. OSV-2026-409774. GCVE-2026-40977

References

1. https://spring.io/security/cve-2026-40977