Cyber Posture

CVE-2026-22732

CriticalPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 7.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22732 is a critical-severity Forced Browsing (CWE-425) vulnerability in Vmware Spring Security. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly patches vulnerable Spring Security versions, ensuring specified HTTP response headers are properly written and preventing exploitation.

CM-6 Configuration Settings partial match
prevent

Secure configuration settings for Spring Security components enforce proper HTTP header handling, mitigating the lazy writing issue.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning identifies systems with affected Spring Security versions, enabling timely remediation of this header writing flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated exploitation of a public-facing Spring Security web application to bypass intended HTTP security headers (CWE-425).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from…

more

5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Deeper analysisAI

CVE-2026-22732 affects Spring Security Servlet applications that use the default lazy writing of HTTP headers, where applications specify HTTP response headers but they may not be written. This vulnerability impacts versions from 5.7.0 through 5.7.21, 5.8.0 through 5.8.23, 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.8, and 7.0.0 through 7.0.3. It is associated with CWE-425 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation prevents the intended HTTP response headers from being applied, resulting in high confidentiality and integrity impacts but no availability impact.

The official Spring Security advisory provides details on mitigation and patches at https://spring.io/security/cve-2026-22732.

Details

CWE(s)
CWE-425

Affected Products

vmware
spring security
≤ 5.7.22 · 5.8.0 — 5.8.24 · 6.3.0 — 6.3.15

CVEs Like This One

CVE-2026-22753Same product: Vmware Spring Security
CVE-2026-22747Same product: Vmware Spring Security
CVE-2026-22754Same product: Vmware Spring Security
CVE-2026-22719Same vendor: Vmware
CVE-2026-22731Same vendor: Vmware
CVE-2026-22733Same vendor: Vmware
CVE-2026-40976Same vendor: Vmware
CVE-2026-40972Same vendor: Vmware
CVE-2026-22738Same vendor: Vmware
CVE-2026-22744Same vendor: Vmware

References