Description
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. 
This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:

: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Published: 2026-03-19
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Missing security HTTP headers
Action: Immediate patch
AI Analysis

Impact

Spring Security’s default lazy writing of HTTP headers can fail under certain conditions, causing applications to omit response headers that were explicitly requested. As a result, the browser receives incomplete security metadata, weakening the protective posture of the application.

Affected Systems

Vulnerable are VMware Spring Security servlet applications. Affected versions include 5.7.0 through 5.7.21, 5.8.0 through 5.8.23, 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.8, and 7.0.0 through 7.0.3.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity issue. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, showing a low current exploitation likelihood. Based on the description, the likely attack vector is remote interaction with the web application, which could trigger the header omission. No public exploit is documented, but the missing headers can undermine the security of user sessions and data.

Generated by OpenCVE AI on April 2, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Security to any version newer than 7.0.3.
  • Verify that HTTP response headers are included in the outgoing responses.
  • If an upgrade is not feasible, configure the application to set the required security headers explicitly.

Generated by OpenCVE AI on April 2, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mf92-479x-3373 Spring Security HTTP Headers Are not Written Under Some Conditions
History

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-166
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-425
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-277

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-277

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Title Under Some Conditions Spring Security HTTP Headers Are not Written
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Spring Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-02T07:20:58.779Z

Reserved: 2026-01-09T06:54:41.498Z

Link: CVE-2026-22732

cve-icon Vulnrichment

Updated: 2026-03-20T15:01:01.327Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T23:16:41.253

Modified: 2026-04-02T08:16:28.230

Link: CVE-2026-22732

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-19T22:47:38Z

Links: CVE-2026-22732 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:22Z

Weaknesses