Spring Security 4.0.3 Auth Bypass via CloudFoundry Actuator (CVE-2026-22733)
CVE-2026-22733 Published on March 19, 2026
Authentication Bypass under Actuator CloudFoundry endpoints
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
Vulnerability Analysis
CVE-2026-22733 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Products Associated with CVE-2026-22733
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Security:- Version 4.0.0, <= 4.0.3 is affected.
- Version 3.5.0, <= 3.5.11 is affected.
- Version 3.4.0, <= 3.4.14 is affected.
- Version 3.3.0, <= 3.3.17 is affected.
- Version 2.7.0, <= 2.7.31 is affected.