{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22753", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.991Z", "datePublished": "2026-04-22T05:20:31.083Z", "dateUpdated": "2026-04-22T15:59:59.319Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:20:31.083Z"}, "title": "Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using\u00a0securityMatchers(String)\u00a0and a\u00a0PathPatternRequestMatcher.Builder\u00a0bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. If an application is using&nbsp;<code>securityMatchers(String)</code>&nbsp;and a&nbsp;<code>PathPatternRequestMatcher.Builder</code>&nbsp;bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22753"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:43:49.628549Z", "id": "CVE-2026-22753", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:59:59.319Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22753", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:43:49.628549Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:44:39.912Z"}}], "cna": {"title": "Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22753"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using\u00a0securityMatchers(String)\u00a0and a\u00a0PathPatternRequestMatcher.Builder\u00a0bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Spring Spring Security. If an application is using&nbsp;<code>securityMatchers(String)</code>&nbsp;and a&nbsp;<code>PathPatternRequestMatcher.Builder</code>&nbsp;bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:20:31.083Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22753", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:59:59.319Z", "dateReserved": "2026-01-09T06:55:03.991Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-22T05:20:31.083Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using\u00a0securityMatchers(String)\u00a0and a\u00a0PathPatternRequestMatcher.Builder\u00a0bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22753", "lastModified": "2026-04-22T17:16:34.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-22T06:16:04.160", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22753"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-22T07:04:35.858323+00:00", "value": {"mitigation_remediation": ["Apply the official Spring Security update (7.0.5+) or a later version that contains the fix for CVE-2026-22753.", "If upgrading immediately is not possible, review the configuration of securityMatchers and any PathPatternRequestMatcher.Builder beans; remove or adjust the servlet path prepending so that request paths are correctly matched to the appropriate security filter chain.", "Verify that authentication and authorization handlers remain active for all critical endpoints by running functional tests or a security assessment, and monitor logs for any unexpected unauthenticated requests after the change."], "summary": {"action": "Immediate Patch", "impact": "Authentication & Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Spring Security versions 7.0.0 through 7.0.4 are affected. The flaw lies in the Spring:Spring Security library. Applications that configure securityMatchers and prepend servlet paths via a PathPatternRequestMatcher.Builder are at risk. No other vendors or products are listed.", "description_and_impact": "The vulnerability stems from a flaw in Spring Security\u2019s request matching logic. When an application uses the securityMatchers(String) method together with a PathPatternRequestMatcher.Builder that prepends a servlet path, the resulting request paths can fail to match the intended security filter chain. Consequently, the authentication, authorization, and other security checks that belong to that chain are not executed. An attacker can exploit this mis\u2011matching to send requests that bypass authentication or authorization checks, gaining unauthorized access to protected resources. The weakness is one of improper authentication and authorization due to a logic error in request path resolution.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high impact severity. EPSS data is not available, so the current likelihood of exploitation cannot be quantified, and the issue is not listed in CISA\u2019s KEV catalog. The attack is likely remote, where an attacker can target the application over the network with crafted requests that exploit the mis\u2011matched paths. The flaw does not require elevated privileges or code execution; it simply allows bypass of authentication and authorization controls. While no public exploit has been reported, the combination of broad version impact and high severity suggests that patching should occur promptly."}}}}, "created": "2026-04-22T07:15:11.666108+00:00", "updated": "2026-04-22T11:44:43.921392+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"], "weaknesses": ["CWE-279", "CWE-290"]}