Josh Cummings

**Name of the Vulnerable Software and Affected Versions** Spring Security versions 6.3.0 through 6.3.1 **Description** The issue is related to missing authorization when using `@AuthorizeReturnObject` in Spring Security, allowing an attacker to render security annotations ineffective. This potentially allows unauthorized access to sensitive data within affected applications. According to available data, there are approximately 8,577 potentially affected applications, and over 1,200 results have been found on a specific search platform. **Recommendations** For Spring Security versions 6.3.0 and 6.3.1, consider disabling the use of `@AuthorizeReturnObject` until a patch is available to prevent attackers from rendering security annotations ineffective. At the moment, there is no information about a newer version that contains a fix for this vulnerability.