Skip to main content

Spring Security EUVD-2026-35911

| CVE-2026-47838 HIGH
Improper Authentication (CWE-287)
2026-06-10 security@vmware.com GHSA-293q-567p-wmwq
Authentication Bypass Java Spring Security
8.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (vmware) PRIMARY
MEDIUM
qualitative
NVD
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable mTLS endpoint (AV:N, AC:L); attacker must hold a CA-signed client cert with controlled CN (PR:L); full impersonation yields C:H/I:H, no service disruption (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 18, 2026 - 03:48 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 03:38 NVD
MEDIUM HIGH
CVSS changed
Jun 18, 2026 - 03:38 NVD
6.8 (MEDIUM) 8.1 (HIGH)
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:46 vuln.today

DescriptionNVD

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.

Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.

AnalysisAI

Authentication bypass via X.509 certificate impersonation in Spring Security affects versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, and 6.5.0-6.5.10, where the SubjectDnX509PrincipalExtractor mishandles malformed Common Name (CN) values and resolves the principal to the wrong identity. An attacker holding a carefully crafted client certificate can authenticate as a different legitimate user, gaining their privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Spring app using X.509 auth
Delivery
Obtain certificate from trusted CA with crafted CN
Exploit
Initiate mutual TLS handshake
Execution
SubjectDnX509PrincipalExtractor misparses CN
Persist
Spring loads victim's UserDetails
Impact
Operate as impersonated user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Spring application has X.509 client-certificate authentication enabled and uses the default SubjectDnX509PrincipalExtractor (or any extractor that derives the username from the CN field of the Subject DN), and that the attacker can obtain a client certificate signed by a CA in the server's trust store with a CN field they control. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but converge on a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enrolls or obtains a client certificate from a CA the target server trusts, requesting a CN that embeds RDN-style separators or malformed sequences designed to be reparsed as a different username (for example, a victim administrator's identifier). The attacker then performs a normal mutual-TLS handshake against the Spring application; SubjectDnX509PrincipalExtractor extracts the crafted fragment instead of the true CN and Spring Security loads the victim's UserDetails, granting the attacker that user's roles. …
Remediation Vendor-released patches are available: upgrade to Spring Security 5.7.25, 5.8.27, 6.3.18, 6.4.18, or 6.5.11 per your maintenance branch, as listed in the EUVD record and the Spring advisory at https://spring.io/security/cve-2026-47838. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running Spring Security versions 5.7.0-5.7.24, 5.8.0-5.8.26, 6.3.0-6.3.17, 6.4.0-6.4.17, or 6.5.0-6.5.10 with X.509 certificate authentication enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH
8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

EUVD-2026-35911 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy