Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authen...
Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Spring
PRODUCT: Spring Security
AFFECTED_VERSIONS: 5.7.0–5.7.21, 5.8.0–5.8.23, 6.3.0–6.3.14, 6.4.0–6.4.14, 6.5.0–6.5.8, 7.0.0–7.0.3
---END_METADATA---
Description Summary:
Spring Security may fail to write HTTP response headers in certain servlet applications. This failure can bypass critical security protections like HSTS or CSP, leaving users vulnerable to web-based attacks.
Executive Summary:
A critical vulnerability in Spring Security causes a failure to apply security headers, potentially exposing web applications to cross-site scripting, session hijacking, and other browser-based exploits.
Vulnerability Details
CVE-ID: CVE-2026-22732
Affected Software: Spring Security
Affected Versions: 5.7.0–5.7.21, 5.8.0–5.8.23, 6.3.0–6.3.14, 6.4.0–6.4.14, 6.5.0–6.5.8, 7.0.0–7.0.3
Vulnerability: This issue involves a failure in the header-writing logic for servlet applications. Under certain conditions, unauthenticated requests may result in responses where security-critical HTTP headers (such as Content-Security-Policy or X-Frame-Options) are omitted, effectively disabling the application's browser-level security posture.
Business Impact
With a CVSS score of 9.1, this vulnerability significantly increases the risk of successful client-side attacks against application users. The absence of security headers can facilitate credential theft via phishing, data exfiltration through XSS, or UI redressing via clickjacking. This can lead to a loss of customer trust and potential regulatory non-compliance regarding data protection standards.
Remediation Plan
Immediate Action: Update Spring Security dependencies to the latest patched maintenance release (e.g., 5.7.22, 5.8.24, 6.3.15, 6.4.15, 6.5.9, or 7.0.4).
Proactive Monitoring: Use automated security scanning tools to verify that all production endpoints are consistently returning expected security headers in their HTTP responses.
Compensating Controls: Configure a reverse proxy or load balancer to inject missing security headers (HSTS, CSP, X-Content-Type-Options) as a temporary global fix.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Mar 19, 2026, there is no public information indicating active exploitation. However, the widespread use of Spring Security in enterprise environments makes this a high-impact vulnerability that requires prompt attention.
Analyst Recommendation
We recommend that development teams immediately audit their Spring Security versions and apply the necessary patches. Given the silent nature of this failure, automated testing should be implemented to ensure that security headers are correctly applied across all application routes.