GHSA-4vrc-j85c-598c

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vrc-j85c-598c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4vrc-j85c-598c/GHSA-4vrc-j85c-598c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vrc-j85c-598c
Aliases
  • CVE-2026-22754
Downstream
Related
Published
2026-04-22T06:30:29Z
Modified
2026-05-05T16:03:46.007975Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules
Details

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Database specific 
{
    "github_reviewed_at": "2026-04-29T20:50:05Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ],
    "nvd_published_at": "2026-04-22T06:16:04Z",
    "severity": "HIGH"
}
References

Affected packages

Maven / org.springframework.security:spring-security-config

Package

Name
org.springframework.security:spring-security-config
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-config

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.5

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4

Database specific

last_known_affected_version_range 
"<= 7.0.4"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4vrc-j85c-598c/GHSA-4vrc-j85c-598c.json"