Spring Security vulnerabilities

9 known vulnerabilities affecting spring/spring_security.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-22733HIGHCVSS 8.2≥ 4.0.0, ≤ 4.0.3≥ 3.5.0, ≤ 3.5.11+3 more2026-03-20
CVE-2026-22733 [HIGH] CWE-288 CVE-2026-22733: Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3
cvelistv5nvd
CVE-2025-22234HIGHCVSS 7.4v5.7.16v5.8.18+5 more2026-01-22
CVE-2025-22234 [HIGH] CWE-208 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
cvelistv5
CVE-2025-41232CRITICALCVSS 9.1≥ 6.4.x, < 6.4.62025-05-21
CVE-2025-41232 [CRITICAL] CWE-693 CVE-2025-41232: Spring Security Aspects may not correctly locate method security annotations on private methods. Thi Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-security-aspects, and * You have Spring Security method annotations on a privat
cvelistv5nvd
CVE-2025-22223MEDIUMCVSS 5.3v6.4.0-6.4.32025-03-24
CVE-2025-22223 [MEDIUM] CWE-290 CVE-2025-22223: Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attache
cvelistv5nvd
CVE-2025-22228HIGHCVSS 7.4v5.7.16v5.8.18+5 more2025-03-20
CVE-2025-22228 [HIGH] CWE-287 CVE-2025-22228: BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
cvelistv5nvd
CVE-2024-38810HIGHCVSS 7.5≥ 6.3.x, < 6.3.22024-08-20
CVE-2024-38810 [MEDIUM] CWE-287 CVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows at Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
cvelistv5nvd
CVE-2024-22234HIGHCVSS 7.4≥ 6.1.x, < 6.1.7≥ 6.2.x, < 6.2.22024-02-20
CVE-2024-22234 [HIGH] CWE-284 CVE-2024-22234: In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: * The application uses AuthenticationTrustResolver.isFullyAuthentic
cvelistv5nvd
CVE-2019-11272HIGHCVSS 7.3≥ 4.2, < 4.2.13.RELEASE2019-06-26
CVE-2019-11272 [HIGH] CWE-287 CVE-2019-11272: Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text pass Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null
cvelistv5nvd
CVE-2019-3795MEDIUMCVSS 5.3≥ 5.0, < 5.0.11.RELEASE≥ 5.1, < 5.1.4.RELEASE+1 more2019-04-09
CVE-2019-3795 [MEDIUM] CWE-330 CVE-2019-3795: Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 cont Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker
cvelistv5nvd