Home

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

PUBLISHED Reserved 2026-01-09 | Published 2026-03-19 | Updated 2026-03-20 | Assigner vmware




HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-288 Authentication bypass using an alternate path or channel

Product status

Default status
unaffected

4.0.0 (custom)
affected

3.5.0 (custom)
affected

3.4.0 (custom)
affected

3.3.0 (custom)
affected

2.7.0 (custom)
affected

References

spring.io/security/cve-2026-22733

cve.org (CVE-2026-22733)

nvd.nist.gov (CVE-2026-22733)

Download JSON