Cyber Resilience

CVE-2026-22731

High

Published: 19 March 2026

Published
19 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0033 25.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22731 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Vmware Spring Boot. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22731 is an authentication bypass vulnerability in Spring Boot applications that use Actuator. The issue arises when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. It affects Spring Boot versions from 4.0 before 4.0.3, from 3.5 before 3.5.11, and from 3.4 before 3.4.15. Published on 2026-03-19, the vulnerability is scored at CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-288 and CWE-306. It is similar but not equivalent to CVE-2026-22733 due to differing exploit conditions and vulnerable versions.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables bypass of authentication controls on affected endpoints, resulting in high confidentiality impact through unauthorized access to sensitive data and low integrity impact, with no availability disruption.

The Spring security advisory at https://spring.io/security/cve-2026-22731 details mitigation steps, with patches available in Spring Boot 4.0.3, 3.5.11, and 3.4.15. Security practitioners should verify configurations involving Actuator Health Groups and upgrade affected applications promptly.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from…

more

4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in exposed Spring Boot Actuator web endpoints directly enables remote exploitation of a public-facing application without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22733Same product: Vmware Spring Boot
CVE-2026-40972Same product: Vmware Spring Boot
CVE-2026-40976Same product: Vmware Spring Boot
CVE-2026-40975Same product: Vmware Spring Boot
CVE-2026-22747Same vendor: Vmware
CVE-2026-22753Same vendor: Vmware
CVE-2026-22719Same vendor: Vmware
CVE-2026-41002Same vendor: Vmware
CVE-2026-22750Same vendor: Vmware
CVE-2026-22732Same vendor: Vmware

Affected Assets

vmware
spring boot
3.4.0 — 3.4.15 · 3.5.0 — 3.5.12 · 4.0.0 — 4.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating known flaws by patching to Spring Boot versions 4.0.3, 3.5.11, or 3.4.15 directly eliminates the authentication bypass in Actuator endpoints.

prevent

Restricting systems to least functionality by disabling unnecessary Actuator endpoints or Health Groups prevents exposure to the path-based authentication bypass.

prevent

Establishing and enforcing secure configuration settings for Actuator Health Group paths avoids misconfigurations that trigger the authentication bypass vulnerability.

References