fix(deps): update dependency org.springframework.boot:spring-boot-starter-actuator to v4.0.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework.boot:spring-boot-starter-actuator (source)	4.0.3 → 4.0.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Spring Boot has an Authentication Bypass under Actuator Health groups paths

CVE-2026-22731 / GHSA-8hfc-fq58-r658

More information

Details

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22731
• https://spring.io/security/cve-2026-22731
• https://github.com/advisories/GHSA-8hfc-fq58-r658

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints

CVE-2026-22733 / GHSA-mgvc-8q2h-5pgc

More information

Details

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22733
• https://spring.io/security/cve-2026-22733
• https://github.com/advisories/GHSA-mgvc-8q2h-5pgc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Spring Boot has an Authentication Bypass under Actuator Health groups paths

CVE-2026-22731 / GHSA-8hfc-fq58-r658

More information

Details

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22731
• https://github.com/spring-projects/spring-boot
• https://spring.io/security/cve-2026-22731

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints

CVE-2026-22733 / GHSA-mgvc-8q2h-5pgc

More information

Details

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22733
• https://github.com/spring-projects/spring-boot
• https://spring.io/security/cve-2026-22733

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-actuator)

v4.0.4

Compare Source

⚠️ Attention Required

• OpenTelemetry's ZipkinSpanExporter has been deprecated and its support will be removed in Spring Boot 4.2. #​49453
• Jackson 2 has been upgraded to 2.21.1 in response to the Jackson team ending support for Jackson 2.20.x. #​49389
• Jackson has been upgraded to 3.1.0 in response to the Jackson team ending support for Jackson 3.0.x. #​49383
• The default value for server.tomcat.max-part-count has been increased from 10 to 50. This aligns it with Tomcat's own default and the default in Spring Boot 3.x. #​49311

🐞 Bug Fixes

• EndpointRequest request matcher for health groups is too complex #​49649
• "/cloudfoundryapplication" web path is not limited to Actuator #​49646
• Fix EndpointRequest.toLinks() when base-path is '/' #​49617
• Docker fails when a 'tcp://' address ends with a slash (for example 'tcp://docker:2375/') #​49596
• RSocket exposes duplicate endpoint for websocket setups #​49593
• Failure analysis for a missing mail sender is misleading #​49582
• SpringBootContextLoader mentions class that no longer exists in message for classes or locations assertion #​49535
• Ordering of 'spring.config.import' is inconsistent when defined in environment or system properties #​49482
• "spring.main.cloud-platform=none" does not disable cloud features #​49479
• SSL support with Docker Compose does not work as documented #​49385
• Auto-configuration overrides authorization server configuration applied by Customizer beans #​49367
• Using @AutoConfigureWebTestClient prevents separate configuration of spring.test.webtestclient.timeout from taking effect #​49344
• NoSuchMethodException when forcing the use of Log4J2LoggingSystem using org.springframework.boot.logging.LoggingSystem system property #​49343
• RouterFunctions descriptions in Actuator do not support nesting #​49302
• Maven plugin does not set '-parameters' option when processing AOT code #​49295
• HTTP Service Interface Client doesn't work in a native image due to missing property binding #​49274
• ErrorPageRegistrarBeanPostProcessor is not auto-configured in war deployments and the ErrorPageCustomizer is not applied #​49176
• Missing starter for spring-boot-restdocs #​48289

📔 Documentation

• Document support for Java 26 #​49604
• List all supported colors when describing color-coded log output #​49562
• Improve EndpointRequest matcher documentation #​49520
• Clarify that running is the only supported input state when triggering a Quartz job through the Actuator endpoint #​49514
• Document security considerations for forwarded headers in cloud deployments #​49507
• Tutorial in the reference guide has outdated instructions #​49429
• Document additional repositories required for shibboleth.net #​49392
• Javadoc of JettyHttpClientBuilder refers to the wrong type #​49387
• Example spring-devtools.properties file is shown in the wrong format #​49362
• Clarify inferred relationships between OAuth 2 registrations and providers #​49327
• Mention using org.springframework.boot.aot Gradle plugin directly for AOT processing with the JVM #​49321
• Remove superfluous semi-colon from read timeout configuration example for HTTP service interface clients #​49306
• Update CLI's INSTALL.txt to reflect Groovy no longer being bundled #​49298
• JDK requirement for the CLI still refers to Java 8 #​49293
• Java and Kotlin samples of an environment post processor are inconsistent #​49287

🔨 Dependency Upgrades

• Upgrade to Commons Logging 1.3.6 #​49545
• Upgrade to DB2 JDBC 12.1.4.0 #​49546
• Upgrade to Elasticsearch Client 9.2.6 #​49421
• Upgrade to Hibernate 7.2.7.Final #​49608
• Upgrade to Jakarta XML WS 4.0.3 #​49469
• Upgrade to JBoss Logging 3.6.3.Final #​49632
• Upgrade to Jetty 12.1.7 #​49470
• Upgrade to Kafka 4.1.2 #​49627
• Upgrade to Liquibase 5.0.2 #​49471
• Upgrade to Lombok 1.18.44 #​49575
• Upgrade to Maven Failsafe Plugin 3.5.5 #​49472
• Upgrade to Maven Shade Plugin 3.6.2 #​49473
• Upgrade to Maven Surefire Plugin 3.5.5 #​49474
• Upgrade to Micrometer 1.16.4 #​49413
• Upgrade to Micrometer Tracing 1.6.4 #​49414
• Upgrade to MongoDB 5.6.4 #​49422
• Upgrade to Native Build Tools Plugin 0.11.5 #​49475
• Upgrade to Neo4j Java Driver 6.0.3 #​49431
• Upgrade to Pulsar 4.1.3 #​49476
• Upgrade to Reactor Bom 2025.0.4 #​49415
• Upgrade to Spring Batch 6.0.3 #​49416
• Upgrade to Spring Data Bom 2025.1.4 #​49417
• Upgrade to Spring Framework 7.0.6 #​49418
• Upgrade to Spring HATEOAS 3.0.3 #​49587
• Upgrade to Spring Integration 7.0.4 #​49529
• Upgrade to Spring Kafka 4.0.4 #​49419
• Upgrade to Spring Pulsar 2.0.4 #​49420
• Upgrade to Spring Security 7.0.4 #​49530
• Upgrade to Spring WS 5.0.1 #​49531
• Upgrade to Testcontainers 2.0.4 #​49655

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​FBibonne, @​answndud, @​bbbbooo, @​chandanv89, @​giyeon95, @​itsmevichu, @​jayychoi, @​l2yujw, @​ngocnhan-tran1996, @​qnnn, @​quaff, and @​sbrannen

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud