{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22754", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.991Z", "datePublished": "2026-04-22T05:32:48.172Z", "dateUpdated": "2026-04-22T15:59:52.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:32:48.172Z"}, "title": "ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses\u00a0<sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/>\u00a0to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. If an application uses&nbsp;<code>&lt;sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/&gt;</code>&nbsp;to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22754"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:43:57.735284Z", "id": "CVE-2026-22754", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:59:52.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:43:57.735284Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:44:19.919Z"}}], "cna": {"title": "ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22754"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses\u00a0<sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/>\u00a0to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Spring Spring Security. If an application uses&nbsp;<code>&lt;sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/&gt;</code>&nbsp;to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:32:48.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22754", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:59:52.492Z", "dateReserved": "2026-01-09T06:55:03.991Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-22T05:32:48.172Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application uses\u00a0<sec:intercept-url servlet-path=\"/servlet-path\" pattern=\"/endpoint/**\"/>\u00a0to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22754", "lastModified": "2026-04-22T17:16:34.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-22T06:16:04.270", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22754"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-22T07:03:54.894601+00:00", "value": {"mitigation_remediation": ["Upgrade to Spring Security 7.0.5 or later, which contains the path matcher fix.", "Revise or remove any <sec:intercept-url> entries that rely on servlet-path and pattern combinations and instead use explicit path definitions.", "Validate application functionality and run access control tests to confirm that authorization checks are enforced after the upgrade."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The flaw affects applications built with Spring Security versions 7.0.0 through 7.0.4. The issue arises when the <sec:intercept-url> element uses a servlet-path attribute (e.g., servlet-path=\"/servlet-path\") in combination with a pattern such as \"/endpoint/\".", "description_and_impact": "The vulnerability in Spring Security allows an attacker to bypass authorization controls because the servlet-path is omitted when computing the path matcher for XML based authorization rules. This flaw means that requests matching the specified pattern are not subjected to the intended access restrictions, potentially enabling unauthorized access to protected resources.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability poses a high baseline risk. No EPSS score is available and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests that match the defined pattern, allowing attackers to locate resources that should be protected. The severity and absence of publicly available exploits suggest that the risk is moderate to high and organizations using affected Spring Security versions should prioritize remediation."}}}}, "created": "2026-04-22T07:15:11.665630+00:00", "title": "Spring Security Path Matching Failure Enables Authorization Bypass", "updated": "2026-04-22T11:44:42.533192+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"], "weaknesses": ["CWE-285"]}