{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22748", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.990Z", "datePublished": "2026-04-22T05:15:03.505Z", "dateUpdated": "2026-04-22T05:15:03.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:15:03.505Z"}, "title": "Potential Security Misconfiguration when Using withIssuerLocation", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "6.3.0", "lessThanOrEqual": "6.3.14", "versionType": "custom"}, {"status": "affected", "version": "6.4.0", "lessThanOrEqual": "6.4.14", "versionType": "custom"}, {"status": "affected", "version": "6.5.0", "lessThanOrEqual": "6.5.9", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. When an application configures JWT decoding with\u00a0NimbusJwtDecoder\u00a0 or\u00a0NimbusReactiveJwtDecoder, it must configure an\u00a0OAuth2TokenValidator<Jwt>\u00a0separately, for example by calling\u00a0setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. When an application configures JWT decoding with&nbsp;<code>NimbusJwtDecoder</code>&nbsp; or&nbsp;<code>NimbusReactiveJwtDecoder</code>, it must configure an&nbsp;<code>OAuth2TokenValidator&lt;Jwt&gt;</code>&nbsp;separately, for example by calling&nbsp;<code>setJwtValidator</code>.<p>This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22748"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. When an application configures JWT decoding with\u00a0NimbusJwtDecoder\u00a0 or\u00a0NimbusReactiveJwtDecoder, it must configure an\u00a0OAuth2TokenValidator<Jwt>\u00a0separately, for example by calling\u00a0setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22748", "lastModified": "2026-04-22T06:16:04.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-22T06:16:04.040", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22748"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T07:26:27.569443+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Spring Security release that includes the mandatory token validator (6.3.15 or later, 6.4.15 or later, 6.5.10 or later, 7.0.5 or later).", "Verify that after configuring NimbusJwtDecoder or NimbusReactiveJwtDecoder you call setJwtValidator with a suitable OAuth2TokenValidator<Jwt> instance.", "If an immediate upgrade is not possible, explicitly add a default validator (for example a DelegatingOAuth2TokenValidator combining timestamp and issuer validation) to enforce token checks."], "summary": {"action": "Patch", "impact": "Inadequate Token Validation"}, "threat_synthesis": {"affected_systems": "Spring Security, versions 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4.", "description_and_impact": "Spring Security allows developers to configure JWT decoding using NimbusJwtDecoder or NimbusReactiveJwtDecoder. However, if an application forgets to configure an OAuth2TokenValidator<Jwt> (such as by calling setJwtValidator) the system will accept any JWT without validating its signature, issuer, or expiration. This misconfiguration can allow an attacker to forge a token and gain unauthorized access to protected resources. The weakness corresponds to missing validation and configuration errors.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium impact. The absence of an EPSS score and non\u2011listing in KEV suggests this vulnerability has not yet been widely exploited. The attack vector likely requires an ability to modify or deploy application configuration \u2013 typically a developer or administrator \u2013 to bypass token validation. Until the validator is added or the library is updated, the application remains vulnerable to token forgery and unauthorized access."}}}}, "created": "2026-04-22T07:30:11.593868+00:00", "updated": "2026-04-22T07:30:11.593879+00:00", "vendors": [], "weaknesses": ["CWE-749", "CWE-863"]}