CVE-2026-22731
Published: 19 March 2026
Summary
CVE-2026-22731 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Vmware Spring Boot. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating known flaws by patching to Spring Boot versions 4.0.3, 3.5.11, or 3.4.15 directly eliminates the authentication bypass in Actuator endpoints.
Restricting systems to least functionality by disabling unnecessary Actuator endpoints or Health Groups prevents exposure to the path-based authentication bypass.
Establishing and enforcing secure configuration settings for Actuator Health Group paths avoids misconfigurations that trigger the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in exposed Spring Boot Actuator web endpoints directly enables remote exploitation of a public-facing application without credentials.
NVD Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from…
more
4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Deeper analysisAI
CVE-2026-22731 is an authentication bypass vulnerability in Spring Boot applications that use Actuator. The issue arises when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. It affects Spring Boot versions from 4.0 before 4.0.3, from 3.5 before 3.5.11, and from 3.4 before 3.4.15. Published on 2026-03-19, the vulnerability is scored at CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-288 and CWE-306. It is similar but not equivalent to CVE-2026-22733 due to differing exploit conditions and vulnerable versions.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables bypass of authentication controls on affected endpoints, resulting in high confidentiality impact through unauthorized access to sensitive data and low integrity impact, with no availability disruption.
The Spring security advisory at https://spring.io/security/cve-2026-22731 details mitigation steps, with patches available in Spring Boot 4.0.3, 3.5.11, and 3.4.15. Security practitioners should verify configurations involving Actuator Health Groups and upgrade affected applications promptly.
Details
- CWE(s)