CVE-2026-22733

CWE-288 CWE-3058 documents6 sources

Severity

8.2HIGH

EPSS

0.1%

top 83.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Security

Timeline

PublishedMar 20

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

▶Mavenorg.springframework.boot:spring-boot-starter-actuator4.0.0-M1 — 4.0.4+4

▶CVEListV5spring/spring_security4.0.0 — 4.0.3+4

🔴Vulnerability Details

GHSA

Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints↗2026-03-20

▶

OSV

Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints↗2026-03-20

▶

GHSA

Spring Boot has an Authentication Bypass under Actuator Health groups paths↗2026-03-20

▶

CVEList

Authentication Bypass under Actuator CloudFoundry endpoints↗2026-03-19

▶

📋Vendor Advisories

Red Hat

Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22731 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22733 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶