CVE-2026-40992
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Spring Boot does not enable hostname verification in mail auto-configuration. Applications that set the relevant JavaMail property are not affected.
Risk Assessment
The lack of hostname verification may lead to man-in-the-middle attacks, posing a risk of intercepting email data.
Recommendation
It is recommended to enable hostname verification by setting the property spring.mail.properties.mail.smtp.ssl.checkserveridentity=true in the application configuration.
Original NVD description (English source)
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.

