EUVD-2026-13345
GHSA-8hfc-fq58-r658
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Analysis
Spring Boot Actuator endpoints can be bypassed for authentication when application endpoints are configured under Health Group paths in versions 4.0 before 4.0.3, 3.5 before 3.5.11, and 3.4 before 3.4.15. An unauthenticated attacker can exploit this path-based misconfiguration to gain unauthorized access to protected resources with high confidence in authentication bypass and partial information disclosure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Spring Boot applications using Actuator in your environment and verify their version numbers against the affected ranges. Within 7 days: Implement network segmentation or WAF rules to restrict access to Health Group endpoints and apply the compensating controls listed below. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today