CVE-2026-22748 — Improper Input Validation in Spring Security
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 81.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedApr 22
Description
Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6
Affected Packages6 packages
🔴Vulnerability Details
1📋Vendor Advisories
1Red Hat▶
Spring Security: Spring Security: Integrity impact due to improper JSON Web Token (JWT) validation↗2026-04-22
💬Community
1Bugzilla▶
CVE-2026-22748 Spring Security: Spring Security: Integrity impact due to improper JSON Web Token (JWT) validation↗2026-04-22