CVE-2026-22733 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: March 20, 2026
Spring Security - Authentication Bypass
Published: March 20, 2026Updated: March 20, 2026Remote Exploitable
Overview
Spring Security 2.7.0 through 2.7.31, 3.3.0 through 3.3.17, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.3 contain an authentication bypass caused by endpoint path conflicts with CloudFoundry Actuator endpoints, letting attackers bypass authentication, exploit requires misconfigured endpoint paths.
Severity & Score
Severity: High
CVSS Score: 8.2
Impact
Attackers can bypass authentication, gaining unauthorized access to protected application endpoints.
Mitigation
Update to a version later than 4.0.3, 3.5.11, 3.4.14, 3.3.17, and 2.7.31 or the latest available version.
Related Resources
Details
- CVE ID
- CVE-2026-22733
- Severity
- High
- CVSS Score
- 8.2
- Type
- broken_authentication
- Status
- new
CWE
- CWE-288
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N