CVE-2026-22747
Published: 22 April 2026
Summary
CVE-2026-22747 is a medium-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Vmware Spring Security. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in Spring Security's SubjectX500PrincipalExtractor by requiring timely patching of vulnerable versions 7.0.0 through 7.0.4.
Ensures public key infrastructure certificates are validated correctly, preventing acceptance of malformed X.509 certificates that could lead to incorrect username extraction.
Requires validation of certificate inputs like CN values to mitigate improper handling that results in extracting the wrong username for impersonation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Spring Security certificate CN extraction directly enables remote impersonation via crafted X.509 certs against a public-facing auth component (T1190).
NVD Description
Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another…
more
user. This issue affects Spring Security: from 7.0.0 through 7.0.4.
Deeper analysisAI
CVE-2026-22747 is a vulnerability in Spring Security's SubjectX500PrincipalExtractor component, which fails to properly handle certain malformed X.509 certificate Common Name (CN) values. This mishandling can result in the extraction of an incorrect username value. The issue affects Spring Security versions from 7.0.0 through 7.0.4 and has a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N), mapped to CWE-297 (Improper Validation of Certificate with Host Mismatch).
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by presenting a carefully crafted X.509 certificate, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows the attacker to impersonate another user, potentially leading to high confidentiality and integrity impacts (C:H/I:H) with no availability disruption (A:N) and unchanged scope (S:U).
For mitigation details, security practitioners should refer to the official Spring advisory at https://spring.io/security/cve-2026-22747, published on 2026-04-22.
Details
- CWE(s)