CVE-2026-22732
Description
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.This issue affects Spring SecurityServlet applications using lazy (default) writing of HTTP Headers:: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Risk Information
Base Score
9.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.017
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2026-22732 are affected in spring-security-web 5.7.14 | Windows |
| Vulnerabilities CVE-2026-22732 are fixed in spring-security-web 6.5.9 | Windows |
| Vulnerabilities CVE-2026-22732 are fixed in spring-security-web 7.0.4 | Windows |
| Vulnerabilities CVE-2026-22732 are affected in spring-security-web for Linux 5.7.14 | Linux |
| Vulnerabilities CVE-2026-22732 are fixed in spring-security-web for Linux 6.5.9 | Linux |
| Vulnerabilities CVE-2026-22732 are fixed in spring-security-web for Linux 7.0.4 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234