CVE-2026-22733

Summary

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Security4.0.0 <= 4.0.3affected
SpringSpring Security3.5.0 <= 3.5.11affected
SpringSpring Security3.4.0 <= 3.4.14affected
SpringSpring Security3.3.0 <= 3.3.17affected
SpringSpring Security2.7.0 <= 2.7.31affected

Weaknesses

  • CWE-288: CWE-288 Authentication bypass using an alternate path or channel

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References