CVE-2026-22733

Source
https://cve.org/CVERecord?id=CVE-2026-22733
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22733.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22733
Aliases
Downstream
Related
Published
2026-03-19T23:29:10.098Z
Modified
2026-07-15T01:49:01.699025211Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Authentication Bypass under Actuator CloudFoundry endpoints
Details

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Database specific
{
    "cna_assigner": "vmware",
    "cwe_ids": [
        "CWE-288"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "4.0.0"
                },
                {
                    "last_affected": "4.0.3"
                },
                {
                    "introduced": "3.5.0"
                },
                {
                    "last_affected": "3.5.11"
                },
                {
                    "introduced": "3.4.0"
                },
                {
                    "last_affected": "3.4.14"
                },
                {
                    "introduced": "3.3.0"
                },
                {
                    "last_affected": "3.3.17"
                },
                {
                    "introduced": "2.7.0"
                },
                {
                    "last_affected": "2.7.31"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "4.0.0"
                },
                {
                    "fixed": "4.0.3"
                },
                {
                    "introduced": "3.5.0"
                },
                {
                    "fixed": "3.5.11"
                },
                {
                    "introduced": "3.4.0"
                },
                {
                    "fixed": "3.4.14"
                },
                {
                    "introduced": "3.3.0"
                },
                {
                    "fixed": "3.3.17"
                },
                {
                    "introduced": "2.7.0"
                },
                {
                    "fixed": "2.7.31"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22733.json"
}
References

Affected packages

Git / github.com/spring-projects/spring-boot

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-boot
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.12"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.4"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22733.json"