GHSA-mgvc-8q2h-5pgc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mgvc-8q2h-5pgc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mgvc-8q2h-5pgc/GHSA-mgvc-8q2h-5pgc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mgvc-8q2h-5pgc
- Aliases
-
- CVE-2026-22733
- Published
- 2026-03-20T00:31:28Z
- Modified
- 2026-03-20T20:46:32.831069Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints
- Details
-
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
- Database specific
{ "github_reviewed_at": "2026-03-20T20:42:31Z", "github_reviewed": true, "cwe_ids": [ "CWE-288" ], "nvd_published_at": "2026-03-20T00:16:15Z", "severity": "HIGH" }- References
Affected packages
Maven
org.springframework.boot:spring-boot-starter-actuator
Package
- Name
- org.springframework.boot:spring-boot-starter-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-starter-actuator
org.springframework.boot:spring-boot-starter-actuator
Package
- Name
- org.springframework.boot:spring-boot-starter-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-starter-actuator
org.springframework.boot:spring-boot-starter-actuator
Package
- Name
- org.springframework.boot:spring-boot-starter-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-starter-actuator
org.springframework.boot:spring-boot-starter-actuator
Package
- Name
- org.springframework.boot:spring-boot-starter-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-starter-actuator
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.3.10
3.3.11
3.3.12
3.3.13
org.springframework.boot:spring-boot-starter-actuator
Package
- Name
- org.springframework.boot:spring-boot-starter-actuator
- View open source insights on deps.dev
- Purl
- pkg:maven/org.springframework.boot/spring-boot-starter-actuator
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected2.7.18
Affected versions
1.*
1.0.0.RELEASE
1.0.1.RELEASE
1.0.2.RELEASE
1.1.0.RELEASE
1.1.1.RELEASE
1.1.2.RELEASE
1.1.3.RELEASE
1.1.4.RELEASE
1.1.5.RELEASE
1.1.6.RELEASE
1.1.7.RELEASE
1.1.8.RELEASE
1.1.9.RELEASE
1.1.10.RELEASE
1.1.11.RELEASE
1.1.12.RELEASE
1.2.0.RELEASE
1.2.1.RELEASE
1.2.2.RELEASE
1.2.3.RELEASE
1.2.4.RELEASE
1.2.5.RELEASE
1.2.6.RELEASE
1.2.7.RELEASE
1.2.8.RELEASE
1.3.0.RELEASE
1.3.1.RELEASE
1.3.2.RELEASE
1.3.3.RELEASE
1.3.4.RELEASE
1.3.5.RELEASE
1.3.6.RELEASE
1.3.7.RELEASE
1.3.8.RELEASE
1.4.0.RELEASE
1.4.1.RELEASE
1.4.2.RELEASE
1.4.3.RELEASE
1.4.4.RELEASE
1.4.5.RELEASE
1.4.6.RELEASE
1.4.7.RELEASE
1.5.0.RELEASE
1.5.1.RELEASE
1.5.2.RELEASE
1.5.3.RELEASE
1.5.4.RELEASE
1.5.5.RELEASE
1.5.6.RELEASE
1.5.7.RELEASE
1.5.8.RELEASE
1.5.9.RELEASE
1.5.10.RELEASE
1.5.11.RELEASE
1.5.12.RELEASE
1.5.13.RELEASE
1.5.14.RELEASE
1.5.15.RELEASE
1.5.16.RELEASE
1.5.17.RELEASE
1.5.18.RELEASE
1.5.19.RELEASE
1.5.20.RELEASE
1.5.21.RELEASE
1.5.22.RELEASE
2.*
2.0.0.RELEASE
2.0.1.RELEASE
2.0.2.RELEASE
2.0.3.RELEASE
2.0.4.RELEASE
2.0.5.RELEASE
2.0.6.RELEASE
2.0.7.RELEASE
2.0.8.RELEASE
2.0.9.RELEASE
2.1.0.RELEASE
2.1.1.RELEASE
2.1.2.RELEASE
2.1.3.RELEASE
2.1.4.RELEASE
2.1.5.RELEASE
2.1.6.RELEASE
2.1.7.RELEASE
2.1.8.RELEASE
2.1.9.RELEASE
2.1.10.RELEASE
2.1.11.RELEASE
2.1.12.RELEASE
2.1.13.RELEASE
2.1.14.RELEASE
2.1.15.RELEASE
2.1.16.RELEASE
2.1.17.RELEASE
2.1.18.RELEASE
2.2.0.RELEASE
2.2.1.RELEASE
2.2.2.RELEASE
2.2.3.RELEASE
2.2.4.RELEASE
2.2.5.RELEASE
2.2.6.RELEASE
2.2.7.RELEASE
2.2.8.RELEASE
2.2.9.RELEASE
2.2.10.RELEASE
2.2.11.RELEASE
2.2.12.RELEASE
2.2.13.RELEASE
2.3.0.RELEASE
2.3.1.RELEASE
2.3.2.RELEASE
2.3.3.RELEASE
2.3.4.RELEASE
2.3.5.RELEASE
2.3.6.RELEASE
2.3.7.RELEASE
2.3.8.RELEASE
2.3.9.RELEASE
2.3.10.RELEASE
2.3.11.RELEASE
2.3.12.RELEASE
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.5.12
2.5.13
2.5.14
2.5.15
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
2.7.18