PT-2026-26453 · Vmware+1 · Spring Security+2
G2H
+1
·
Published
2026-03-19
·
Updated
2026-05-24
·
CVE-2026-22733
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Security versions 4.0.0 through 4.0.3
Spring Security versions 3.5.0 through 3.5.11
Spring Security versions 3.4.0 through 3.4.14
Spring Security versions 3.3.0 through 3.3.17
Spring Security versions 2.7.0 through 2.7.31
Description
Spring Boot applications utilizing Actuator may experience an authentication bypass issue when an application endpoint requiring authentication is configured under the path used by CloudFoundry Actuator endpoints. This allows unauthorized access to protected resources.
Recommendations
Spring Security versions 4.0.0 through 4.0.3 should be updated.
Spring Security versions 3.5.0 through 3.5.11 should be updated.
Spring Security versions 3.4.0 through 3.4.14 should be updated.
Spring Security versions 3.3.0 through 3.3.17 should be updated.
Spring Security versions 2.7.0 through 2.7.31 should be updated.
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloudfoundry Actuator
Spring Boot
Spring Security