Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Published: 2026-03-19
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Immediately
AI Analysis

Impact

Spring Boot applications that use Actuator can be affected by an authentication bypass flaw. When an endpoint that normally requires authentication is placed under a health group path, the security filter that blocks unauthenticated traffic is mistakenly skipped. This flaw was classified as CWE-288, CWE-305, and CWE-306. Unauthenticated users may thereby reach protected diagnostic data, system metrics, and configuration endpoints that are normally restricted, potentially revealing sensitive information and creating a foothold for further attacks.

Affected Systems

The flaw applies to Spring Boot releases where Actuator is enabled. Specifically, any Spring Boot 4.0 version before 4.0.3, Spring Boot 3.5 before 3.5.11, or Spring Boot 3.4 before 3.4.15 are vulnerable when an endpoint that requires authentication is declared under a health group additional path. All other product lines of Spring Boot remain unaffected.

Risk and Exploitability

The CVSS base score of 8.2 indicates high severity, while the EPSS score is reported as less than 1% and the flaw is not listed in the CISA KEV catalog, suggesting no known active exploitation. Based on the description, an attacker could use an unauthenticated HTTP request to the misconfigured health group endpoint to trigger the bypass. No credentials or privileged access are required, and access to otherwise protected data could compromise confidentiality.

Generated by OpenCVE AI on April 17, 2026 at 11:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Boot to 4.0.3, 3.5.11, 3.4.15 or later
  • Configure actuator endpoints so that health group paths require authentication, e.g., by adding security constraints in application.yml or @EnableWebSecurity settings
  • If an immediate upgrade is not possible, disable or remove unnecessary health group paths or enforce custom authentication checks on those paths

Generated by OpenCVE AI on April 17, 2026 at 11:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8hfc-fq58-r658 Spring Boot has an Authentication Bypass under Actuator Health groups paths
History

Thu, 16 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Boot
Weaknesses CWE-306
CPEs cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Boot

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-305
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Thu, 19 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Title Authentication Bypass under Actuator Health groups paths
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Spring Spring Boot
Vmware Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-03-20T15:33:43.191Z

Reserved: 2026-01-09T06:54:41.498Z

Link: CVE-2026-22731

cve-icon Vulnrichment

Updated: 2026-03-20T15:33:39.256Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:41.080

Modified: 2026-04-16T04:30:21.777

Link: CVE-2026-22731

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-19T22:36:15Z

Links: CVE-2026-22731 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses