A Spring Boot application that exposes Actuator can be vulnerable to an Authentication Bypass when an endpoint that requires authentication is declared under the same path used by the CloudFoundry Actuator endpoints. The vulnerability allows an attacker to access protected resources without providing proper credentials. The weakness is divided under CWE-288, Authentication Failure.

Spring Security versions affected are: 4.0.0 through 4.0.3, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.17, and 2.7.0 through 2.7.31. Any Spring Boot application using these Spring Security releases and enabling Actuator with CloudFoundry endpoints is at risk.

The CVSS score of 8.2 indicates high severity. EPSS score is not available, and the vulnerability is not listed in CISA KEV catalog. The likely attack vector is a remote authenticated or unauthenticated request to the attacker-controlled endpoint path; the omission of the attack vector in the official description means it is inferred that a remote attacker can trigger the bypass by sending requests to the affected path. Exploitation requires sending a request to the vulnerable Actuator path and successfully retrieving restricted data without authentication, a condition that the vulnerability directly satisfies.