CVE-2026-22754
Published: 22 April 2026
Summary
CVE-2026-22754 is a high-severity Improper Access Control (CWE-284) vulnerability in Vmware Spring Security. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this Spring Security authorization bypass by patching affected versions 7.0.0 through 7.0.4.
AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the CVE's failure to apply authorization rules due to excluded servlet path in path matching.
CM-6 ensures secure configuration settings for system components like Spring Security intercept-url patterns are established, verified, and deviations approved to prevent authorization bypasses from configuration flaws.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing Spring Security web app directly enables T1190 exploitation of remote services/resources.
NVD Description
Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead…
more
to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Deeper analysisAI
CVE-2026-22754 is a vulnerability in Spring Security that occurs when an application uses the `<sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/>` configuration to define the servlet path for computing a path matcher. In this scenario, the servlet path is not included, causing related authorization rules to not be exercised and enabling an authorization bypass. The issue affects Spring Security versions from 7.0.0 through 7.0.4 and is associated with CWE-284 (Improper Access Control), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation bypasses authorization checks, allowing the attacker to access protected resources without proper permissions, resulting in high integrity impact but no confidentiality or availability disruption.
The official Spring Security advisory provides further details on this CVE, available at https://spring.io/security/cve-2026-22754.
Details
- CWE(s)