CVE-2026-22731

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Spring Boot versions prior to 4.0.3 Spring Boot versions prior to 3.5.11 Spring Boot versions prior to 3.4.15

Description Spring Boot applications utilizing the Actuator feature may be susceptible to an authentication bypass issue. This occurs when an application endpoint requiring authentication is defined under a specific path that is already configured for an additional Health Group path. The issue allows bypassing the intended authentication mechanisms for certain endpoints.

Recommendations Update Spring Boot to version 4.0.3 or later. Update Spring Boot to version 3.5.11 or later. Update Spring Boot to version 3.4.15 or later.

Fix

Authentication Bypass Using an Alternate Path or Channel

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-306

Related Identifiers

CVE-2026-22731

GHSA-8HFC-FQ58-R658

Affected Products

Spring Boot

CVE-2026-22731

Weakness Enumeration

Related Identifiers

Affected Products

References · 12