CVE-2026-22732 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 20, 2026
Spring Security - Misconfiguration
Overview
Spring Security 5.7.0 to 5.7.21, 5.8.0 to 5.8.23, 6.3.0 to 6.3.14, 6.4.0 to 6.4.14, and 6.5.0 to 7.0.3 contains an insecure configuration caused by failure to write HTTP response headers in servlet applications, letting attackers potentially bypass security controls, exploit requires specific application configuration.
Severity & Score
Impact
Attackers can bypass security controls due to missing HTTP headers, potentially leading to information disclosure or other attacks.
Mitigation
Update to a version later than 7.0.3 or the latest available version.
Social Media Activity(2 posts)
šØ CVE-2026-22732 (CRITICAL, CVSS 9.1): Spring Security 5.7.0 ā 7.0.3 vulnerability lets HTTP headers go unwritten, risking CSP/HSTS bypass. No auth needed, remote exploit possible. Upgrade urgently & enforce headers via WAF/CDN! https://radar.offseq.com/threat/cve-2026-22732-vulnerability-in-spring-spring-secu-2c8fbdd8 #OffSeq #SpringSecurity #CVE202622732
View original post
š“ CVE-2026-22732 - Critical (9.1) When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through... š https://www.thehackerwire.com/vulnerability/CVE-2026-22732/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-22732
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- misconfiguration
- Status
- unconfirmed
- EPSS
- 1.1%
- Social Posts
- 2
CWE
- CWE-425
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N