PT-2026-26453 · Spring · Spring Security
G2H
+1
·
Published
2026-03-19
·
Updated
2026-03-20
·
CVE-2026-22733
CVSS v3.1
8.2
High
| AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Security