Home

CVE-2026-22733

Description

Spring Boot applications with Actuator can be vulnerable to an Authentication Bypass vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Risk Information

Base Score
8.2
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score
Exploitation Probability
0.049

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2026-22731,CVE-2026-22733 are affected in Spring - spring-boot-starter-actuator 3.4.13Windows
Vulnerabilities CVE-2026-22731,CVE-2026-22733 are fixed in Spring - spring-boot-starter-actuator 3.5.12Windows
Vulnerabilities CVE-2026-22731,CVE-2026-22733 are fixed in Spring - spring-boot-starter-actuator 4.0.4Windows
Vulnerabilities CVE-2026-22731,CVE-2026-22733 are affected in Spring - spring-boot-starter-actuator for Linux 3.4.13Linux
Vulnerabilities CVE-2026-22731,CVE-2026-22733 are fixed in Spring - spring-boot-starter-actuator for Linux 3.5.12Linux
Vulnerabilities CVE-2026-22731,CVE-2026-22733 are fixed in Spring - spring-boot-starter-actuator for Linux 4.0.4Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234