CVE-2026-22732

Name of the Vulnerable Software and Affected Versions Spring Security versions 5.7.0 through 5.7.21 Spring Security versions 5.8.0 through 5.8.23 Spring Security versions 6.3.0 through 6.3.14 Spring Security versions 6.4.0 through 6.4.14 Spring Security versions 6.5.0 through 6.5.8 Spring Security versions 7.0.0 through 7.0.3

Description In servlet applications using lazy (default) writing of HTTP headers, there is a possibility that specified HTTP response headers will not be written. This can lead to security headers being silently dropped without errors or logs, potentially exposing applications to data leaks. Additionally, some reports indicate the issue may be related to an insecure direct object reference that could allow a remote attacker to execute arbitrary code via a specially crafted HTTP request.

Recommendations Update versions 5.7.0 through 5.7.21 to a version later than 5.7.21. Update versions 5.8.0 through 5.8.23 to a version later than 5.8.23. Update versions 6.3.0 through 6.3.14 to a version later than 6.3.14. Update versions 6.4.0 through 6.4.14 to a version later than 6.4.14. Update versions 6.5.0 through 6.5.8 to a version later than 6.5.8. Update versions 7.0.0 through 7.0.3 to a version later than 7.0.3.