CVE-2026-22205
Published: 26 February 2026
Summary
CVE-2026-22205 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Spip Spip. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2026-22205 is an authentication bypass vulnerability affecting SPIP versions prior to 4.4.10. The flaw stems from PHP type juggling in the authentication logic, where loose type comparisons allow attackers to bypass login verification and access protected information, including sensitive internal data. It is classified under CWE-288 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By leveraging the type juggling weakness, they can evade authentication checks to retrieve confidential data without impacting integrity or availability.
The official SPIP security advisory announces the release of version 4.4.10 as a patch addressing this issue. Security practitioners should upgrade to SPIP 4.4.10 or later, with further details available in the SPIP Git repository.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8883
Vulnerability details
SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive internal…
more
data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing SPIP web app directly enables remote exploitation for unauthorized access to protected data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely identification, reporting, and patching of the authentication bypass flaw in SPIP versions prior to 4.4.10.
Mandates unique identification and authentication for non-organizational users, preventing bypasses via PHP type juggling in SPIP's login verification.
Enforces approved access authorizations to block unauthenticated attackers from retrieving protected information despite authentication logic flaws.