VDB
CISA-2026-22733
CISA-2026-22733
PUBLISHED
CVSS 8.2 HIGH
Reported by vmware · Published March 19, 2026
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
Risk Scores
CVSS 3.1
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spring | Spring Security | 4.0.0, 3.5.0, 3.4.0 |
| Spring | Spring Security | 4.0.0, 3.4.0, 3.3.0 |
Timeline
- Mar 19, 2026 CVE Published