CVE-2026-22731

CWE-288 CWE-3056 documents6 sources

Severity

8.2HIGH

EPSS

0.1%

top 83.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Boot

Timeline

PublishedMar 19

Latest updateMar 20

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶Mavenorg.springframework.boot:spring-boot-starter-actuator3.5.0 — 3.5.12+2

▶CVEListV5spring/spring_boot4.0 — 4.0.3+2

🔴Vulnerability Details

GHSA

Spring Boot has an Authentication Bypass under Actuator Health groups paths↗2026-03-20

▶

OSV

Spring Boot has an Authentication Bypass under Actuator Health groups paths↗2026-03-20

▶

CVEList

Authentication Bypass under Actuator Health groups paths↗2026-03-19

▶

📋Vendor Advisories

Red Hat

Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22731 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶