CVE-2026-22732 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-22732 PUBLISHED CVSS 9.100000381469727 CRITICAL

A critical security vulnerability, CVE-2026-22732, has been identified in Spring Security versions 5.7.0 through 7.0.3, where HTTP response headers for servlet applications may not be written under certain conditions, potentially exposing applications to various attacks including sensitive data disclosure via caching mechanisms. Users of affected versions should upgrade immediately to the corresponding fixed release: 5.7.22, 5.8.24, 6.3.15, 6.4.15 (Enterprise Support), or 6.5.9 and 7.0.4 (OSS). Older, unsupported versions may also be affected and should be migrated to a supported release as a priority.

EPSS 0.01% · 2.5th percentile

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.01%

2.5th percentile

Affected Products

Vendor	Product	Versions
Spring	Spring Security 5.7.0 through 7.0.3

Timeline

Jan 14, 2026 PoC Published
Jan 14, 2026 PoC Published
Jan 15, 2026 PoC Published
Mar 19, 2026 PoC Published
Mar 19, 2026 CVE Published
Mar 19, 2026 PoC Published
Mar 20, 2026 EPSS Score
Mar 20, 2026 PoC Published
Mar 20, 2026 PoC Published
Mar 20, 2026 PoC Published
Mar 21, 2026 EPSS Score
Mar 22, 2026 EPSS Score

References

Open in Interactive Console →