PT-2026-24206 · Vaadin+1 · Vaadin 24.9.7+8
Published
2026-03-10
·
Updated
2026-05-27
·
CVE-2026-2742
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Vaadin versions 14.0.0 through 14.14.0
Vaadin versions 23.0.0 through 23.6.6
Vaadin versions 24.0.0 through 24.9.7
Vaadin versions 25.0.0 through 25.0.1
Description
An authentication bypass issue exists in applications using Spring Security. Accessing the
/VAADIN endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.Recommendations
Vaadin versions 14.0.0 through 14.14.0 should be upgraded to 14.14.1.
Vaadin versions 23.0.0 through 23.6.6 should be upgraded to 23.6.7.
Vaadin versions 24.0.0 through 24.9.7 should be upgraded to 24.9.8.
Vaadin versions 25.0.0 through 25.0.1 should be upgraded to 25.0.2 or newer.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Security
Vaadin 14.0.0
Vaadin 14.14.0
Vaadin 23.0.0
Vaadin 23.6.6
Vaadin 24.0.0
Vaadin 24.9.7
Vaadin 25.0.0
Vaadin 25.0.1