Cyber Resilience

CVE-2026-22754

High

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0006 17.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22754 is a high-severity Improper Access Control (CWE-284) vulnerability in Vmware Spring Security. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22754 is a vulnerability in Spring Security that occurs when an application uses the `<sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/>` configuration to define the servlet path for computing a path matcher. In this scenario, the servlet path is not included, causing related authorization rules to not be exercised and enabling an authorization bypass. The issue affects Spring Security versions from 7.0.0 through 7.0.4 and is associated with CWE-284 (Improper Access Control), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

An unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation bypasses authorization checks, allowing the attacker to access protected resources without proper permissions, resulting in high integrity impact but no confidentiality or availability disruption.

The official Spring Security advisory provides further details on this CVE, available at https://spring.io/security/cve-2026-22754.

EU & UK References

Vulnerability details

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead…

more

to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public-facing Spring Security web app directly enables T1190 exploitation of remote services/resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22732Same product: Vmware Spring Security
CVE-2026-22747Same product: Vmware Spring Security
CVE-2026-22753Same product: Vmware Spring Security
CVE-2026-40976Same vendor: Vmware
CVE-2026-22733Same vendor: Vmware
CVE-2026-22731Same vendor: Vmware
CVE-2026-22719Same vendor: Vmware
CVE-2026-40972Same vendor: Vmware
CVE-2026-22750Same vendor: Vmware
CVE-2026-41002Same vendor: Vmware

Affected Assets

vmware
spring security
7.0.0 — 7.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this Spring Security authorization bypass by patching affected versions 7.0.0 through 7.0.4.

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly countering the CVE's failure to apply authorization rules due to excluded servlet path in path matching.

prevent

CM-6 ensures secure configuration settings for system components like Spring Security intercept-url patterns are established, verified, and deviations approved to prevent authorization bypasses from configuration flaws.

References