Spring Security CVE-2026-22754

| EUVD-2026-24612 HIGH
Improper Access Control (CWE-284)
2026-04-22 vmware GHSA-4vrc-j85c-598c
Authentication Bypass Java
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Re-analysis Queued
Apr 22, 2026 - 17:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 06:30 vuln.today

DescriptionNVD

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.

AnalysisAI

Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all applications using Spring Security 7.0.0-7.0.4 and verify servlet-path-based intercept-url configurations in security XML or Java configurations. Within 7 days: Immediately upgrade Spring Security to version 7.0.5 or later; coordinate with development teams to validate post-upgrade functionality. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-22754 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy