Cyber Resilience

CVE-2026-22747

MediumUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0023 13.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22747 is a medium-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Vmware Spring Security. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22747 is a vulnerability in Spring Security's SubjectX500PrincipalExtractor component, which fails to properly handle certain malformed X.509 certificate Common Name (CN) values. This mishandling can result in the extraction of an incorrect username value. The issue affects Spring Security versions from 7.0.0 through 7.0.4 and has a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N), mapped to CWE-297 (Improper Validation of Certificate with Host Mismatch).

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by presenting a carefully crafted X.509 certificate, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows the attacker to impersonate another user, potentially leading to high confidentiality and integrity impacts (C:H/I:H) with no availability disruption (A:N) and unchanged scope (S:U).

For mitigation details, security practitioners should refer to the official Spring advisory at https://spring.io/security/cve-2026-22747, published on 2026-04-22.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another…

more

user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in Spring Security certificate CN extraction directly enables remote impersonation via crafted X.509 certs against a public-facing auth component (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22753Same product: Vmware Spring Security
CVE-2026-22754Same product: Vmware Spring Security
CVE-2026-22732Same product: Vmware Spring Security
CVE-2026-22733Same vendor: Vmware
CVE-2026-41002Same vendor: Vmware
CVE-2026-22731Same vendor: Vmware
CVE-2026-22750Same vendor: Vmware
CVE-2026-40972Same vendor: Vmware
CVE-2026-40976Same vendor: Vmware
CVE-2026-22719Same vendor: Vmware

Affected Assets

vmware
spring security
7.0.0 — 7.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in Spring Security's SubjectX500PrincipalExtractor by requiring timely patching of vulnerable versions 7.0.0 through 7.0.4.

prevent

Ensures public key infrastructure certificates are validated correctly, preventing acceptance of malformed X.509 certificates that could lead to incorrect username extraction.

prevent

Requires validation of certificate inputs like CN values to mitigate improper handling that results in extracting the wrong username for impersonation.

References