CVE-2026-22754 — Improper Access Control in Spring Security

CWE-284 — Improper Access Control CWE-551 — Incorrect Behavior Order: Authorization Before Parsing and Canonicalization4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 85.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Security Devspaces Openvsx-rhel9 Devspaces Pluginregistry-rhel9 +3 more

Timeline

PublishedApr 22

Description

Vulnerability in Spring Spring Security. If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.