VDB

CISA-2026-22733

CISA-2026-22733 PUBLISHED CVSS 8.2 HIGH

Reported by vmware · Published March 19, 2026

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Risk Scores

CVSS 3.1
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected Products

VendorProductVersions
SpringSpring Security4.0.0, 3.5.0, 3.4.0
SpringSpring Security4.0.0, 3.4.0, 3.3.0

Timeline

  • Mar 19, 2026 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›