CVE-2026-22733HIGH 8.1EPSS p27.0%

CVE-2026-22733CVE-2026-22733

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 27.0% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-04-23

Underlying weaknesses· 1

CWE-288

References

  1. https://spring.io/security/cve-2026-22733

1

TypeTargetConfidenceTier
WeaknessAuthentication Bypass Using an Alternate Path or Channelcwe-2880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22731
CVE
CVE-2026-40976
CVE
VMware Spring Cloud Gateway Code Injection Vulnerability
CVE
CVE-2026-41843
CVE
CVE-2026-22739
CVE
CVE-2026-22732
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.