CVE-2026-22731

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://spring.io/security/cve-2026-22731	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:spring_boot::::::::
	cpe:2.3:a:vmware:spring_boot::::::::
	cpe:2.3:a:vmware:spring_boot::::::::

History

16 Apr 2026, 04:30

Type	Values Removed	Values Added
Summary		(es) Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una vulnerabilidad de 'omisión de autenticación' cuando un endpoint de aplicación que requiere autenticación se declara bajo una ruta específica, ya configurada para una ruta adicional de un Grupo de Salud. Este problema afecta a Spring Boot: desde 4.0 antes de 4.0.3, desde 3.5 antes de 3.5.11, desde 3.4 antes de 3.4.15. Este CVE es similar pero no equivalente a CVE-2026-22733, ya que las condiciones para el exploit y las versiones vulnerables son diferentes.
First Time		Vmware Vmware spring Boot
CWE		CWE-306
CPE		cpe:2.3:a:vmware:spring_boot::::::::
References	~~() https://spring.io/security/cve-2026-22731 -~~	() https://spring.io/security/cve-2026-22731 - Vendor Advisory

19 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 23:16

Updated : 2026-04-16 04:30

NVD link : CVE-2026-22731

Mitre link : CVE-2026-22731

CVE.ORG link : CVE-2026-22731

JSON object : View

Products Affected

vmware

spring_boot

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-22731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-03-19T23:16:41.080", "references": [{"url": "https://spring.io/security/cve-2026-22731", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@vmware.com", "description": [{"lang": "en", "value": "CWE-288"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different."}, {"lang": "es", "value": "Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una vulnerabilidad de 'omisi\u00f3n de autenticaci\u00f3n' cuando un endpoint de aplicaci\u00f3n que requiere autenticaci\u00f3n se declara bajo una ruta espec\u00edfica, ya configurada para una ruta adicional de un Grupo de Salud.\nEste problema afecta a Spring Boot: desde 4.0 antes de 4.0.3, desde 3.5 antes de 3.5.11, desde 3.4 antes de 3.4.15.\nEste CVE es similar pero no equivalente a CVE-2026-22733, ya que las condiciones para el exploit y las versiones vulnerables son diferentes."}], "lastModified": "2026-04-16T04:30:21.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ACB2610-CD68-4D6A-9C4C-0FA18E55E041", "versionEndExcluding": "3.4.15", "versionStartIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2444685F-F529-45D4-91D6-4EDC9128024C", "versionEndExcluding": "3.5.12", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF787BE2-58A8-442C-8165-9652D62C0829", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}