Spring Security EUVD-2026-24609

| CVE-2026-22747 MEDIUM
Improper Validation of Certificate with Host Mismatch (CWE-297)
2026-04-22 vmware GHSA-2jrg-rf5x-568g
Java Information Disclosure
6.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 22, 2026 - 06:30 vuln.today

DescriptionNVD

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

AnalysisAI

Spring Security 7.0.0 through 7.0.4 mishandles malformed X.509 certificate CN values in the SubjectX500PrincipalExtractor, allowing authenticated attackers to craft certificates that extract incorrect username values and impersonate other users. The vulnerability requires network access and authenticated privileges but does not require user interaction; it affects certificate-based authentication flows where X.509 principal extraction is used.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-24609 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy