{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22733", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.498Z", "datePublished": "2026-03-19T23:29:10.098Z", "dateUpdated": "2026-03-20T14:45:18.731Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:29:10.098Z"}, "title": "Authentication Bypass under Actuator CloudFoundry endpoints", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication bypass using an alternate path or channel", "type": "CWE"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "4.0.0", "lessThanOrEqual": "4.0.3", "versionType": "custom"}, {"status": "affected", "version": "3.5.0", "lessThanOrEqual": "3.5.11", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThanOrEqual": "3.4.14", "versionType": "custom"}, {"status": "affected", "version": "3.3.0", "lessThanOrEqual": "3.3.17", "versionType": "custom"}, {"status": "affected", "version": "2.7.0", "lessThanOrEqual": "2.7.31", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.\u00a0This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.&nbsp;<span>This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.</span>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22733"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:45:09.953150Z", "id": "CVE-2026-22733", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:45:18.731Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Authentication Bypass under Actuator CloudFoundry endpoints", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "4.0.0", "versionType": "custom", "lessThanOrEqual": "4.0.3"}, {"status": "affected", "version": "3.5.0", "versionType": "custom", "lessThanOrEqual": "3.5.11"}, {"status": "affected", "version": "3.4.0", "versionType": "custom", "lessThanOrEqual": "3.4.14"}, {"status": "affected", "version": "3.3.0", "versionType": "custom", "lessThanOrEqual": "3.3.17"}, {"status": "affected", "version": "2.7.0", "versionType": "custom", "lessThanOrEqual": "2.7.31"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22733"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.\u00a0This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.", "supportingMedia": [{"type": "text/html", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.&nbsp;<span>This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication bypass using an alternate path or channel"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T23:29:10.098Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22733", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T14:45:09.953150Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-20T14:45:14.474Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-22733", "state": "PUBLISHED", "dateUpdated": "2026-03-19T23:29:10.098Z", "dateReserved": "2026-01-09T06:54:41.498Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T23:29:10.098Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "4513BC8A-943B-4B55-A516-BCBD1B4A218B", "versionEndExcluding": "2.7.32", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "3124B8A3-D4CF-4EB3-8A46-E55C4EBA1648", "versionEndExcluding": "3.3.18", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "0ACB2610-CD68-4D6A-9C4C-0FA18E55E041", "versionEndExcluding": "3.4.15", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "2444685F-F529-45D4-91D6-4EDC9128024C", "versionEndExcluding": "3.5.12", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF787BE2-58A8-442C-8165-9652D62C0829", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.\u00a0This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31."}, {"lang": "es", "value": "Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una 'vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n' cuando un endpoint de aplicaci\u00f3n que requiere autenticaci\u00f3n se declara bajo la ruta utilizada por los endpoints de Actuator de CloudFoundry. Este problema afecta a Spring Security: desde 4.0.0 hasta 4.0.3, desde 3.5.0 hasta 3.5.11, desde 3.4.0 hasta 3.4.14, desde 3.3.0 hasta 3.3.17, desde 2.7.0 hasta 2.7.31."}], "id": "CVE-2026-22733", "lastModified": "2026-04-23T14:24:37.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@vmware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T00:16:15.513", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22733"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.11]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.17]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.0,2.7.31]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-20T00:20:15.743572+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to a release after the affected ranges (e.g., 4.0.4 or later, or 3.5.12 or later).", "If upgrading is not immediately possible, isolate or remove Actuator CloudFoundry endpoints from the application\u2019s exposed URLs."], "summary": {"action": "Update", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Spring Security versions affected are: 4.0.0 through 4.0.3, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.17, and 2.7.0 through 2.7.31. Any Spring Boot application using these Spring Security releases and enabling Actuator with CloudFoundry endpoints is at risk.", "description_and_impact": "A Spring Boot application that exposes Actuator can be vulnerable to an Authentication Bypass when an endpoint that requires authentication is declared under the same path used by the CloudFoundry Actuator endpoints. The vulnerability allows an attacker to access protected resources without providing proper credentials. The weakness is divided under CWE-288, Authentication Failure.", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity. EPSS score is not available, and the vulnerability is not listed in CISA KEV catalog. The likely attack vector is a remote authenticated or unauthenticated request to the attacker-controlled endpoint path; the omission of the attack vector in the official description means it is inferred that a remote attacker can trigger the bypass by sending requests to the affected path. Exploitation requires sending a request to the vulnerable Actuator path and successfully retrieving restricted data without authentication, a condition that the vulnerability directly satisfies."}}}}, "created": "2026-03-20T08:54:17.746549+00:00", "updated": "2026-03-20T10:43:44.963975+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"]}