CVE-2026-22748

Name of the Vulnerable Software and Affected Versions Spring Spring Security versions 6.3.0 through 6.3.14 Spring Spring Security versions 6.4.0 through 6.4.14 Spring Spring Security versions 6.5.0 through 6.5.9 Spring Spring Security versions 7.0.0 through 7.0.4

Description An issue exists when an application configures JWT decoding using NimbusJwtDecoder or NimbusReactiveJwtDecoder. In these cases, an OAuth2TokenValidator<Jwt> must be configured separately, such as by calling the setJwtValidator function.

Recommendations For versions 6.3.0 through 6.3.14, configure an OAuth2TokenValidator<Jwt> separately by calling setJwtValidator when using NimbusJwtDecoder or NimbusReactiveJwtDecoder. For versions 6.4.0 through 6.4.14, configure an OAuth2TokenValidator<Jwt> separately by calling setJwtValidator when using NimbusJwtDecoder or NimbusReactiveJwtDecoder. For versions 6.5.0 through 6.5.9, configure an OAuth2TokenValidator<Jwt> separately by calling setJwtValidator when using NimbusJwtDecoder or NimbusReactiveJwtDecoder. For versions 7.0.0 through 7.0.4, configure an OAuth2TokenValidator<Jwt> separately by calling setJwtValidator when using NimbusJwtDecoder or NimbusReactiveJwtDecoder.