CVE-2026-22733

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://spring.io/security/cve-2026-22733	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:spring_boot::::::::
	cpe:2.3:a:vmware:spring_boot::::::::
	cpe:2.3:a:vmware:spring_boot::::::::
	cpe:2.3:a:vmware:spring_boot::::::::
	cpe:2.3:a:vmware:spring_boot::::::::

History

23 Apr 2026, 14:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:vmware:spring_boot::::::::
References	~~() https://spring.io/security/cve-2026-22733 -~~	() https://spring.io/security/cve-2026-22733 - Vendor Advisory
Summary		(es) Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una 'vulnerabilidad de omisión de autenticación' cuando un endpoint de aplicación que requiere autenticación se declara bajo la ruta utilizada por los endpoints de Actuator de CloudFoundry. Este problema afecta a Spring Security: desde 4.0.0 hasta 4.0.3, desde 3.5.0 hasta 3.5.11, desde 3.4.0 hasta 3.4.14, desde 3.3.0 hasta 3.3.17, desde 2.7.0 hasta 2.7.31.
First Time		Vmware Vmware spring Boot

20 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 00:16

Updated : 2026-04-23 14:24

NVD link : CVE-2026-22733

Mitre link : CVE-2026-22733

CVE.ORG link : CVE-2026-22733

JSON object : View

Products Affected

vmware

spring_boot

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

{"id": "CVE-2026-22733", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-03-20T00:16:15.513", "references": [{"url": "https://spring.io/security/cve-2026-22733", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@vmware.com", "description": [{"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.\u00a0This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31."}, {"lang": "es", "value": "Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una 'vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n' cuando un endpoint de aplicaci\u00f3n que requiere autenticaci\u00f3n se declara bajo la ruta utilizada por los endpoints de Actuator de CloudFoundry. Este problema afecta a Spring Security: desde 4.0.0 hasta 4.0.3, desde 3.5.0 hasta 3.5.11, desde 3.4.0 hasta 3.4.14, desde 3.3.0 hasta 3.3.17, desde 2.7.0 hasta 2.7.31."}], "lastModified": "2026-04-23T14:24:37.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4513BC8A-943B-4B55-A516-BCBD1B4A218B", "versionEndExcluding": "2.7.32"}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3124B8A3-D4CF-4EB3-8A46-E55C4EBA1648", "versionEndExcluding": "3.3.18", "versionStartIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ACB2610-CD68-4D6A-9C4C-0FA18E55E041", "versionEndExcluding": "3.4.15", "versionStartIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2444685F-F529-45D4-91D6-4EDC9128024C", "versionEndExcluding": "3.5.12", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF787BE2-58A8-442C-8165-9652D62C0829", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}