GHSA-cvc6-q2cp-2xhw

Suggest an improvement
Source
https://github.com/advisories/GHSA-cvc6-q2cp-2xhw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cvc6-q2cp-2xhw/GHSA-cvc6-q2cp-2xhw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cvc6-q2cp-2xhw
Aliases
  • CVE-2026-22748
Downstream
Related
Published
2026-04-22T06:30:29Z
Modified
2026-05-05T16:05:54.238232Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Spring Security has Potential Security Misconfiguration when Using withIssuerLocation
Details

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:48:38Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-04-22T06:16:04Z"
}
References

Affected packages

Maven
org.springframework.security:spring-security-oauth2-jose

Package

Name
org.springframework.security:spring-security-oauth2-jose
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Last affected
6.3.14

Affected versions

6.*
6.3.0
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cvc6-q2cp-2xhw/GHSA-cvc6-q2cp-2xhw.json"
org.springframework.security:spring-security-oauth2-jose

Package

Name
org.springframework.security:spring-security-oauth2-jose
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Last affected
6.4.14

Affected versions

6.*
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
6.4.9
6.4.10
6.4.11
6.4.12
6.4.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cvc6-q2cp-2xhw/GHSA-cvc6-q2cp-2xhw.json"
org.springframework.security:spring-security-oauth2-jose

Package

Name
org.springframework.security:spring-security-oauth2-jose
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.5.10

Affected versions

6.*
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cvc6-q2cp-2xhw/GHSA-cvc6-q2cp-2xhw.json"
last_known_affected_version_range 
"<= 6.5.9"
org.springframework.security:spring-security-oauth2-jose

Package

Name
org.springframework.security:spring-security-oauth2-jose
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-oauth2-jose

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.5

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cvc6-q2cp-2xhw/GHSA-cvc6-q2cp-2xhw.json"
last_known_affected_version_range 
"<= 7.0.4"