{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22731", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.498Z", "datePublished": "2026-03-19T22:36:15.112Z", "dateUpdated": "2026-03-20T15:33:43.191Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T22:36:15.112Z"}, "title": "Authentication Bypass under Actuator Health groups paths", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication bypass using an alternate path or channel", "type": "CWE"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.0.3", "versionType": "custom"}, {"status": "affected", "version": "3.5", "lessThan": "3.5.11", "versionType": "custom"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.<br><p>This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.<br>This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22731"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:33:35.462671Z", "id": "CVE-2026-22731", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:33:43.191Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22731", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:33:35.462671Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:33:39.256Z"}}], "cna": {"title": "Authentication Bypass under Actuator Health groups paths", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "4.0", "lessThan": "4.0.3", "versionType": "custom"}, {"status": "affected", "version": "3.5", "lessThan": "3.5.11", "versionType": "custom"}, {"status": "affected", "version": "3.4", "lessThan": "3.4.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22731"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.", "supportingMedia": [{"type": "text/html", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.<br><p>This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.<br>This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication bypass using an alternate path or channel"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T22:36:15.112Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22731", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:33:43.191Z", "dateReserved": "2026-01-09T06:54:41.498Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T22:36:15.112Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different."}], "id": "CVE-2026-22731", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.080", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22731"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0,4.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.5,3.5.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.4,3.4.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "spring_boot", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-19T23:20:43.932954+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Boot to a non\u2011vulnerable release: 4.0.3 or newer, 3.5.11 or newer, or 3.4.15 or newer.", "Verify that the Actuator health group paths are not exposed to unauthenticated users or consider disabling Actuator endpoints in production environments.", "Check the official Spring security advisory (https://spring.io/security/cve-2026-22731) for any additional guidance or interim workarounds."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Affected are Spring Boot releases: 4.0 prior to 4.0.3, 3.5 prior to 3.5.11, and 3.4 prior to 3.4.15. Any application that uses Actuator with custom Health Group paths and applies authentication to protected endpoints is in risk. The CVE reference notes the vulnerability applies specifically when a protected endpoint is declared under a Health Group path.", "description_and_impact": "Spring Boot applications that expose the Actuator endpoint can be tricked into allowing unauthenticated access when a protected endpoint is placed under a custom Health Group path. The vulnerability arises from the way Spring Boot validates authentication for health\u2011group routes, enabling any user to bypass required credentials. This flaw is classified as CWE-288 (Improper Authentication). The result is that an attacker can read or invoke endpoints that should be secured, potentially gaining sensitive data or manipulating state.", "risk_and_exploitability": "The CVSS score is 8.2, indicating high severity. Since no EPSS score is available, the exploit probability is unknown but the CVE is not listed in CISA\u2019s KEV catalog, suggesting it has not yet been publicly exploited. The vulnerability can be triggered by an unauthenticated user who can construct a request targeting the vulnerable health group path. If the application is exposed to the public Internet, the risk of exploitation increases. Immediate patching is recommended to mitigate potential unauthorized access."}}}}, "created": "2026-03-20T08:54:41.610427+00:00", "updated": "2026-03-20T10:44:09.864025+00:00", "vendors": ["spring", "spring$PRODUCT$spring_boot"]}