{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22754", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.991Z", "datePublished": "2026-04-22T05:32:48.172Z", "dateUpdated": "2026-04-22T15:59:52.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:32:48.172Z"}, "title": "ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses\u00a0<sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/>\u00a0to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. If an application uses&nbsp;<code>&lt;sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/&gt;</code>&nbsp;to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22754"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:43:57.735284Z", "id": "CVE-2026-22754", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:59:52.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:43:57.735284Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:44:19.919Z"}}], "cna": {"title": "ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22754"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses\u00a0<sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/>\u00a0to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Spring Spring Security. If an application uses&nbsp;<code>&lt;sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/&gt;</code>&nbsp;to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:32:48.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22754", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:59:52.492Z", "dateReserved": "2026-01-09T06:55:03.991Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-22T05:32:48.172Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B8A5767-EB43-4E11-8E93-9324B70F7060", "versionEndExcluding": "7.0.5", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses\u00a0<sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/>\u00a0to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22754", "lastModified": "2026-04-24T14:16:07.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-22T06:16:04.270", "references": [{"source": "security@vmware.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22754"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Security: Spring Security: Authorization bypass due to incorrect servlet path matching", "id": "2460489", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460489"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-551", "details": ["A flaw was found in Spring Security. When an application uses `<sec:intercept-url>` to define authorization rules, the servlet path may not be correctly included in the path matcher. This oversight can lead to an authorization bypass, allowing a remote attacker to access protected resources without proper authentication or authorization."], "name": "CVE-2026-22754", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.servicemix.bundles.spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-04-22T05:32:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22754\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22754\nhttps://spring.io/security/cve-2026-22754"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-29T00:18:16.730957+00:00", "value": {"mitigation_remediation": ["Upgrade to Spring Security 7.0.5 or later, which contains the path matcher fix.", "Revise or remove any <sec:intercept-url> entries that rely on servlet-path and pattern combinations and instead use explicit path definitions.", "Validate application functionality and run access control tests to confirm that authorization checks are enforced after the upgrade."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The flaw affects applications built with Spring Security versions 7.0.0 through 7.0.4. The issue arises when the <sec:intercept-url> element uses a servlet-path attribute (e.g., servlet-path=\"/servlet-path\") in combination with a pattern such as \"/endpoint/\".", "description_and_impact": "The vulnerability in Spring Security allows an attacker to bypass authorization controls because the servlet-path is omitted when computing the path matcher for XML based authorization rules. This flaw means that requests matching the specified pattern are not subjected to the intended access restrictions, potentially enabling unauthorized access to protected resources.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability poses a high baseline risk. The EPSS score is < 1%, indicating a very low but non-zero likelihood of exploitation, and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests that match the defined pattern, allowing attackers to locate resources that should be protected. The severity and very low EPSS suggest the risk is moderate to high and organizations using affected Spring Security versions should prioritize remediation."}}}}, "created": "2026-04-22T07:15:11.665630+00:00", "updated": "2026-04-29T00:30:16.115718+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"]}