GHSA-mf92-479x-3373

Suggest an improvement
Source
https://github.com/advisories/GHSA-mf92-479x-3373
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mf92-479x-3373
Aliases
  • CVE-2026-22732
Downstream
Published
2026-03-20T00:31:28Z
Modified
2026-03-20T20:46:26.164998Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Spring Security HTTP Headers Are not Written Under Some Conditions
Details

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Database specific 
{
    "github_reviewed_at": "2026-03-20T20:42:25Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-425"
    ],
    "nvd_published_at": "2026-03-19T23:16:41Z",
    "severity": "CRITICAL"
}
References

Affected packages

Maven
org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.7.14

Affected versions

3.*
3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.0.8.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.1.5.RELEASE
3.1.6.RELEASE
3.1.7.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
4.*
4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
4.2.3.RELEASE
4.2.4.RELEASE
4.2.5.RELEASE
4.2.6.RELEASE
4.2.7.RELEASE
4.2.8.RELEASE
4.2.9.RELEASE
4.2.10.RELEASE
4.2.11.RELEASE
4.2.12.RELEASE
4.2.13.RELEASE
4.2.14.RELEASE
4.2.15.RELEASE
4.2.16.RELEASE
4.2.17.RELEASE
4.2.18.RELEASE
4.2.19.RELEASE
4.2.20.RELEASE
5.*
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.0.4.RELEASE
5.0.5.RELEASE
5.0.6.RELEASE
5.0.7.RELEASE
5.0.8.RELEASE
5.0.9.RELEASE
5.0.10.RELEASE
5.0.11.RELEASE
5.0.12.RELEASE
5.0.13.RELEASE
5.0.14.RELEASE
5.0.15.RELEASE
5.0.16.RELEASE
5.0.17.RELEASE
5.0.18.RELEASE
5.0.19.RELEASE
5.1.0.RELEASE
5.1.1.RELEASE
5.1.2.RELEASE
5.1.3.RELEASE
5.1.4.RELEASE
5.1.5.RELEASE
5.1.6.RELEASE
5.1.7.RELEASE
5.1.8.RELEASE
5.1.9.RELEASE
5.1.10.RELEASE
5.1.11.RELEASE
5.1.12.RELEASE
5.1.13.RELEASE
5.2.0.RELEASE
5.2.1.RELEASE
5.2.2.RELEASE
5.2.3.RELEASE
5.2.4.RELEASE
5.2.5.RELEASE
5.2.6.RELEASE
5.2.7.RELEASE
5.2.8.RELEASE
5.2.9.RELEASE
5.2.10.RELEASE
5.2.11.RELEASE
5.2.12.RELEASE
5.2.13.RELEASE
5.2.14.RELEASE
5.2.15.RELEASE
5.3.0.RELEASE
5.3.1.RELEASE
5.3.2.RELEASE
5.3.3.RELEASE
5.3.4.RELEASE
5.3.5.RELEASE
5.3.6.RELEASE
5.3.7.RELEASE
5.3.8.RELEASE
5.3.9.RELEASE
5.3.10.RELEASE
5.3.11.RELEASE
5.3.12.RELEASE
5.3.13.RELEASE
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
5.6.10
5.6.11
5.6.12
5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.9
5.7.10
5.7.11
5.7.12
5.7.13
5.7.14

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json"
org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Last affected
5.8.16

Affected versions

5.*
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.8.10
5.8.11
5.8.12
5.8.13
5.8.14
5.8.15
5.8.16

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json"
org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Last affected
6.3.10

Affected versions

6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.2.8
6.3.0
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json"
org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Last affected
6.4.13

Affected versions

6.*
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
6.4.9
6.4.10
6.4.11
6.4.12
6.4.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json"
org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.5.9

Affected versions

6.*
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json"
org.springframework.security:spring-security-web

Package

Name
org.springframework.security:spring-security-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework.security/spring-security-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.4

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mf92-479x-3373/GHSA-mf92-479x-3373.json"