Spring Security HTTP Header Write Failure before 7.0.4: CVE-2026-22732 March 2026

Spring Security HTTP Header Write Failure before 7.0.4
CVE-2026-22732 Published on March 19, 2026

Under Some Conditions Spring Security HTTP Headers Are not Written
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Vulnerability Analysis

CVE-2026-22732 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Products Associated with CVE-2026-22732

Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.

Affected Versions

Version 5.7.0, <= 5.7.21 is affected.

Version 5.8.0, <= 5.8.23 is affected.

Version 6.3.0, <= 6.3.14 is affected.

Version 6.4.0, <= 6.4.14 is affected.

Version 6.5.0, <= 6.5.8 is affected.

Version 7.0.0, <= 7.0.3 is affected.

Spring Security HTTP Header Write Failure before 7.0.4CVE-2026-22732 Published on March 19, 2026

Vulnerability Analysis

Products Associated with CVE-2026-22732

Affected Versions

Spring Security HTTP Header Write Failure before 7.0.4
CVE-2026-22732 Published on March 19, 2026