Home / Vulnerability Intelligence / CVE-2026-22731

CVE-2026-22731 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 20, 2026

Spring Boot - Authentication Bypass

Published: March 19, 2026Updated: March 20, 2026Remote Exploitable

Overview

Spring Boot 4.0 < 4.0.3, 3.5 < 3.5.11, and 3.4 < 3.4.15 contain an authentication bypass caused by misconfiguration of Actuator endpoints under Health Group additional paths, letting attackers bypass authentication, exploit requires specific endpoint path configuration.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 4.1%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass authentication to access protected endpoints, potentially exposing sensitive application data or controls.

Mitigation

Upgrade to Spring Boot 4.0.3, 3.5.11, 3.4.15 or later.

References

https://spring.io/security/cve-2026-22731

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 19, 2026

🟠 CVE-2026-22731 - High (8.2) Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-22731/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-22731
Severity: High
CVSS Score: 8.2
Type: broken_authentication
Status: unconfirmed
EPSS: 4.1%
Social Posts: 1

CWE

CWE-288

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score

4.1%Probability of exploitation in the next 30 days