CVE-2026-22753
Published: 22 April 2026
Summary
CVE-2026-22753 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Vmware Spring Security. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-22753 by requiring timely identification, reporting, and remediation of the specific flaw in Spring Security versions 7.0.0 through 7.0.4 via patching.
Ensures secure and documented configuration settings for Spring Security matchers and path patterns, preventing misconfigurations that trigger the path matching failure.
Verifies that authentication, authorization, and security functions are exercised and behave correctly on intended requests, identifying bypasses due to faulty filter chain matching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct security filter bypass in a public-facing Spring web app enables remote exploitation of protected endpoints without authentication/authorization.
NVD Description
Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by…
more
the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Deeper analysisAI
CVE-2026-22753 is a vulnerability in Spring Security versions 7.0.0 through 7.0.4. It arises when an application configures securityMatchers(String) alongside a PathPatternRequestMatcher.Builder bean that prepends a servlet path. Under these conditions, requests intended for a specific filter chain may fail to match, causing related security components to be skipped. This renders authentication, authorization, and other security controls inactive on those requests. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-693: Protection Mechanism Failure.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By sending crafted requests that leverage the faulty path matching, they bypass intended security filters, achieving high integrity impact. This enables actions such as unauthorized access or manipulation that security controls were meant to prevent.
For details on patches and mitigation steps, refer to the official advisory at https://spring.io/security/cve-2026-22753.
Details
- CWE(s)