GHSA-4wrg-8wpc-h923

Suggest an improvement
Source
https://github.com/advisories/GHSA-4wrg-8wpc-h923
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4wrg-8wpc-h923/GHSA-4wrg-8wpc-h923.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4wrg-8wpc-h923
Aliases
  • CVE-2026-22753
Downstream
Related
Published
2026-04-22T06:30:29Z
Modified
2026-05-05T16:03:44.588584Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers
Details

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:49:32Z",
    "cwe_ids": [
        "CWE-693"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-04-22T06:16:04Z"
}
References

Affected packages

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.5

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4wrg-8wpc-h923/GHSA-4wrg-8wpc-h923.json"
last_known_affected_version_range 
"<= 7.0.4"