CVE-2026-22733
Published: 20 March 2026
Summary
CVE-2026-22733 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Vmware Spring Boot. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the authentication bypass flaw in vulnerable Spring Security versions through timely identification, reporting, and patching.
Establishes secure configuration settings for Spring Boot Actuator endpoints to prevent path overlaps that enable authentication bypass.
Enforces approved authorizations for access to endpoints, countering the bypass of authentication controls due to misconfigured CloudFoundry Actuator paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Spring Boot Actuator endpoints directly enables exploitation of a network-accessible web application without credentials.
NVD Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3,…
more
from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
Deeper analysisAI
CVE-2026-22733, published on 2026-03-20, is an authentication bypass vulnerability (CWE-288) in Spring Boot applications using Actuator. The flaw occurs when an application endpoint that requires authentication is declared under the path used by CloudFoundry Actuator endpoints, allowing unintended access. It affects Spring Security versions 4.0.0 through 4.0.3, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.17, and 2.7.0 through 2.7.31. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility and significant confidentiality impact.
Unauthenticated attackers with network access can exploit this issue with low attack complexity and no user interaction. By sending requests to the misconfigured endpoints under the CloudFoundry Actuator path, they bypass authentication controls, achieving high-level confidentiality access to sensitive data and limited integrity modification without disrupting availability.
Security practitioners should consult the official advisory at https://spring.io/security/cve-2026-22733 for details on patches, workarounds, and mitigation guidance specific to affected Spring Security versions.
Details
- CWE(s)