Cyber Resilience

CVE-2026-22205

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 36.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22205 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Spip Spip. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-22205 is an authentication bypass vulnerability affecting SPIP versions prior to 4.4.10. The flaw stems from PHP type juggling in the authentication logic, where loose type comparisons allow attackers to bypass login verification and access protected information, including sensitive internal data. It is classified under CWE-288 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By leveraging the type juggling weakness, they can evade authentication checks to retrieve confidential data without impacting integrity or availability.

The official SPIP security advisory announces the release of version 4.4.10 as a patch addressing this issue. Security practitioners should upgrade to SPIP 4.4.10 or later, with further details available in the SPIP Git repository.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal…

more

data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass in public-facing SPIP web app directly enables remote exploitation for unauthorized access to protected data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27475Same product: Spip Spip
CVE-2026-22206Same product: Spip Spip
CVE-2026-33549Same product: Spip Spip
CVE-2025-71243Same vendor: Spip
CVE-2026-27744Same vendor: Spip
CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288

Affected Assets

spip
spip
≤ 4.4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely identification, reporting, and patching of the authentication bypass flaw in SPIP versions prior to 4.4.10.

prevent

Mandates unique identification and authentication for non-organizational users, preventing bypasses via PHP type juggling in SPIP's login verification.

prevent

Enforces approved access authorizations to block unauthenticated attackers from retrieving protected information despite authentication logic flaws.

References