CVE-2026-22731

Summary

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Boot4.0 < 4.0.3affected
SpringSpring Boot3.5 < 3.5.11affected
SpringSpring Boot3.4 < 3.4.15affected

Weaknesses

  • CWE-288: CWE-288 Authentication bypass using an alternate path or channel

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References