Skip to main content

Spring CVE-2025-70982

CRITICAL
Improper Access Control (CWE-284)
2026-01-26 cve@mitre.org
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
PoC Detected
Feb 12, 2026 - 15:43 vuln.today
Public exploit code
CVE Published
Jan 26, 2026 - 17:16 nvd
CRITICAL 9.9

DescriptionCVE.org

Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.

AnalysisAI

Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.

Technical ContextAI

CWE-284 in SpringBlade's importUser function. Low-privileged users can import users with elevated roles.

RemediationAI

Update SpringBlade. Restrict import functionality to administrators.

More in Spring

View all
CVE-2025-41243 CRITICAL POC
10.0 Sep 16

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severi

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-70983 CRITICAL
9.9 Jan 23

SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through t

CVE-2025-41232 CRITICAL
9.1 May 21

Spring Security Aspects may not correctly locate method security annotations on private methods. Rated critical severity

CVE-2025-22235 HIGH
7.3 Apr 28

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been crea

CVE-2026-22718 MEDIUM
6.8 Jan 14

Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arb

CVE-2025-41234 MEDIUM
6.5 Jun 12

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to

CVE-2025-22223 MEDIUM
5.3 Mar 24

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. Ra

CVE-2026-2817 MEDIUM
4.4 Feb 19

Spring Data Geode's snapshot import functionality uses predictable temporary directories with overly permissive permissi

CVE-2025-41249 HIGH
7.5 Sep 16

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarc

CVE-2025-41248 HIGH
7.5 Sep 16

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarch

CVE-2025-8525 MEDIUM POC
5.5 Aug 04

A vulnerability was found in Exrick xboot up to 3.3.4. Rated medium severity (CVSS 5.5), this vulnerability is remotely

Share

CVE-2025-70982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy