{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22731", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.498Z", "datePublished": "2026-03-19T22:36:15.112Z", "dateUpdated": "2026-03-20T15:33:43.191Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T22:36:15.112Z"}, "title": "Authentication Bypass under Actuator Health groups paths", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication bypass using an alternate path or channel", "type": "CWE"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.0.3", "versionType": "custom"}, {"status": "affected", "version": "3.5", "lessThan": "3.5.11", "versionType": "custom"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.<br><p>This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.<br>This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22731"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:33:35.462671Z", "id": "CVE-2026-22731", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:33:43.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22731", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:33:35.462671Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:33:39.256Z"}}], "cna": {"title": "Authentication Bypass under Actuator Health groups paths", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.0.3", "versionType": "custom"}, {"status": "affected", "version": "3.5", "lessThan": "3.5.11", "versionType": "custom"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22731"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.", "supportingMedia": [{"type": "text/html", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.<br><p>This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.<br>This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication bypass using an alternate path or channel"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T22:36:15.112Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22731", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:33:43.191Z", "dateReserved": "2026-01-09T06:54:41.498Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T22:36:15.112Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "0ACB2610-CD68-4D6A-9C4C-0FA18E55E041", "versionEndExcluding": "3.4.15", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "2444685F-F529-45D4-91D6-4EDC9128024C", "versionEndExcluding": "3.5.12", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF787BE2-58A8-442C-8165-9652D62C0829", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different."}, {"lang": "es", "value": "Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una vulnerabilidad de 'omisi\u00f3n de autenticaci\u00f3n' cuando un endpoint de aplicaci\u00f3n que requiere autenticaci\u00f3n se declara bajo una ruta espec\u00edfica, ya configurada para una ruta adicional de un Grupo de Salud.\nEste problema afecta a Spring Boot: desde 4.0 antes de 4.0.3, desde 3.5 antes de 3.5.11, desde 3.4 antes de 3.4.15.\nEste CVE es similar pero no equivalente a CVE-2026-22733, ya que las condiciones para el exploit y las versiones vulnerables son diferentes."}], "id": "CVE-2026-22731", "lastModified": "2026-04-16T04:30:21.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@vmware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-19T23:16:41.080", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22731"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@vmware.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path", "id": "2449290", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449290"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-305", "details": ["A flaw was found in Spring Boot. This vulnerability, an authentication bypass, occurs when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to sensitive application endpoints. This could lead to information disclosure or unauthorized actions."], "mitigation": {"lang": "en:us", "value": "To mitigate, ensure that application endpoints requiring authentication are not declared under paths already configured as Health Group additional paths within Spring Boot applications using Actuator. Review and adjust your application's configuration to prevent this overlap. A redeployment of the application is required for changes to take effect."}, "name": "CVE-2026-22731", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-03-19T22:36:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22731\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22731\nhttps://spring.io/security/cve-2026-22731"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0,4.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.5,3.5.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.4,3.4.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-17T11:34:32.005896+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Boot to 4.0.3, 3.5.11, 3.4.15 or later", "Configure actuator endpoints so that health group paths require authentication, e.g., by adding security constraints in application.yml or @EnableWebSecurity settings", "If an immediate upgrade is not possible, disable or remove unnecessary health group paths or enforce custom authentication checks on those paths"], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The flaw applies to Spring Boot releases where Actuator is enabled. Specifically, any Spring Boot 4.0 version before 4.0.3, Spring Boot 3.5 before 3.5.11, or Spring Boot 3.4 before 3.4.15 are vulnerable when an endpoint that requires authentication is declared under a health group additional path. All other product lines of Spring Boot remain unaffected.", "description_and_impact": "Spring Boot applications that use Actuator can be affected by an authentication bypass flaw. When an endpoint that normally requires authentication is placed under a health group path, the security filter that blocks unauthenticated traffic is mistakenly skipped. This flaw was classified as CWE-288, CWE-305, and CWE-306. Unauthenticated users may thereby reach protected diagnostic data, system metrics, and configuration endpoints that are normally restricted, potentially revealing sensitive information and creating a foothold for further attacks.", "risk_and_exploitability": "The CVSS base score of 8.2 indicates high severity, while the EPSS score is reported as less than 1% and the flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation. Based on the description, an attacker could use an unauthenticated HTTP request to the misconfigured health group endpoint to trigger the bypass. No credentials or privileged access are required, and access to otherwise protected data could compromise confidentiality."}}}}, "created": "2026-03-20T08:54:41.610427+00:00", "updated": "2026-04-17T11:45:06.221272+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}