Changeflow GovPing Data Privacy & Cybersecurity Spring Patches 8 Vulnerabilities Including Crit...
Priority review Notice Added Final

Spring Patches 8 Vulnerabilities Including Critical Arbitrary Code Execution Flaw

Favicon for www.acn.gov.it Italy ACN News alt
Published
Detected
Email

Summary

ACN issued an alert (AL02/260424/CSIRT-ITA) disclosing 8 security vulnerabilities in Spring, the open-source Java enterprise framework. Among them are one critical-severity and two high-severity flaws affecting Spring Boot versions 2.7.x through 4.0.x, including end-of-life versions no longer supported. The critical vulnerability permits arbitrary code execution without authentication (CVSS score estimated 9.8). ACN recommends updating affected installations to patched versions per the vendor security bulletins.

“Aggiornamenti di sicurezza risolvono 8 vulnerabilità, tra cui una con gravità "critica" e due "alta", in Spring, noto framework open‑source per lo sviluppo di applicazioni Java, usato in ambito enterprise.”

ACN , verbatim from source
Why this matters

Organizations running Spring Boot should immediately audit their environments against the affected version ranges — particularly versions 2.7.x through 3.3.x, which are likely most prevalent in production. The critical arbitrary code execution flaw (CVE-2026-40976) requires no authentication to exploit, making unpatched internet-facing Spring applications the highest-priority remediation target.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by ACN on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy ACN News alt for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 7 changes logged to date.

View original document View source feed page

What changed

ACN published an alert covering 8 resolved vulnerabilities in Spring, the open-source Java framework widely used in enterprise applications. One vulnerability is rated critical (arbitrary code execution) and two are rated high severity. Affected versions include Spring Boot 2.7.x (up to 2.7.32), 3.3.x (up to 3.3.18), 3.4.x (up to 3.4.15), 3.5.x (up to 3.5.13), and 4.0.x (up to 4.0.5), plus all prior end-of-life versions. CVEs cited include CVE-2026-40976, CVE-2026-40972, and CVE-2026-40973.

Organizations running Spring-based applications should identify affected Spring Boot versions in their environments and apply updates immediately. The critical arbitrary code execution flaw poses the highest risk and should be prioritized. No specific compliance deadline is stated in the alert; remediation is on a best-efforts basis per vendor guidance.

What to do next

  1. Update vulnerable Spring products to patched versions per vendor security bulletins
  2. Contact ACN or refer to Spring.io security references for remediation guidance

Archived snapshot

Apr 24, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Risolte vulnerabilità in Spring

**
Alert**

AL02/260424/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Aggiornamenti di sicurezza risolvono 8 vulnerabilità, tra cui una con gravità “critica” e due “alta”, in Spring, noto framework open‑source per lo sviluppo di applicazioni Java, usato in ambito enterprise.

Tipologia

  • Arbitrary Code Execution
  • Authentication Bypass
  • Information Disclosure
  • Privilege Escalation

Prodotti e/o versioni affette

Spring Boot

  • 4.0.x: versioni dalla 4.0.0 alla 4.0.5
  • 3.5.x: versioni dalla 3.5.0 alla 3.5.13
  • 3.4.x: versioni dalla 3.4.0 alla 3.4.15
  • 3.3.x: versioni dalla 3.3.0 alla 3.3.18
  • 2.7.x: versioni dalla 2.7.0 alla 2.7.32
  • tutte le versioni precedenti non più supportate (EOL).

Azioni di mitigazione

In linea con le dichiarazioni del vendor, si raccomanda di aggiornare i prodotti vulnerabili seguendo le indicazioni dei bollettini di sicurezza riportati nella sezione Riferimenti.

Di seguito sono riportate le sole CVE relative alle vulnerabilità con gravità “critica” e “alta”:

CVE (3)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2026-40976 | - | - |
| CVE-2026-40972 | - | - |
| CVE-2026-40973 | - | - |

Riferimenti (4)

  1. https://spring.io/security/cve-2026-40976
  2. https://spring.io/security/cve-2026-40972
  3. https://spring.io/security/cve-2026-40973
  4. https://spring.io/security

Change log

Versione Note Data
1.0 Pubblicato il 24-04-2026 24/04/2026

Impatto sistemico

Alto (65.51)

Argomenti

Data pubblicazione

24/04/26 ore 11:38

Data Ultimo Aggiornamento

24/04/26 ore 11:38

Parties

Spring

Related changes

Favicon for www.acn.gov.it Tenable Patches High-Severity Arbitrary Code Execution Vulnerability in Nessus
Priority review Apr 24, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.acn.gov.it Chrome Resolves 3 Security Vulnerabilities Including 1 Critical and 1 High
Priority review Apr 24, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for www.jpcert.or.jp JPCERT Warns of Critical Vulnerabilities in Adobe Acrobat and Reader Allowing Arbitrary Code Execution
Priority review Apr 23, 2026 JPCERT EN alerts alt Data Privacy & Cybersecurity

Get daily alerts for Italy ACN News alt

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.acn.gov.it
Italy ACN News alt acn.gov.it/portale/feedrss/-/journal/rss/20119/723192
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from ACN.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
ACN
Published
April 24th, 2026
Instrument
Notice
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Healthcare providers Financial advisers
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Patch management Enterprise software maintenance
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Information Technology Data Privacy

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 499 Consumer Protection 141 Courts & Legal 635 Data Privacy & Cybersecurity 150 Defense & National Security 52 Education 64 Energy 138 Environment 170 Gaming 2 Government & Legislation 522 Healthcare 15 Healthcare & Life Sciences 401 Immigration 11 Insurance 90 Labor & Employment 193 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 175 Tax 116 Telecom & Technology 56 Trade & Sanctions 169 Transportation 129

Get alerts for this source

We'll email you when Italy ACN News alt publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!