Description
Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.
This issue affects Spring Security: from 7.0.0 through 7.0.4.
Published: 2026-04-22
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized User Impersonation
Action: Immediate Patch
AI Analysis

Impact

A flaw in Spring Security’s SubjectX500PrincipalExtractor allows a malformed Common Name (CN) field in an X.509 client certificate to be parsed incorrectly. The component can read an unintended value as the authenticated username, enabling an attacker to impersonate any user for whom a valid certificate is not required.

Affected Systems

Spring Security, versions 7.0.0 through 7.0.4.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.8. EPSS data is not available, and it is not listed in the CISA KEV catalog. Exploitation requires an application that accepts X.509 client certificates. An attacker would need to supply a specially crafted certificate; if successful, the victim’s session would be bound to the forged identity, allowing access to resources they normally could not reach. No public exploit is currently known, but the nature of the attack vector and the moderate CVSS rating suggests that it could be actively leveraged in targeted or automated attacks.

Generated by OpenCVE AI on April 22, 2026 at 07:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Security to version 7.0.5 or later to apply the fix for the certificate parsing bug
  • If an upgrade is not feasible immediately, disable X.509 client certificate authentication in the affected application
  • Implement additional validation of the X.509 certificate’s CN field before it is used for authentication

Generated by OpenCVE AI on April 22, 2026 at 07:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-22747 cve-icon cve-icon
History

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-297
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287
CWE-374

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.
Title Unauthorized User Impersonation when Using X.509 Client Certificates
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Spring Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-22T16:00:15.525Z

Reserved: 2026-01-09T06:55:03.990Z

Link: CVE-2026-22747

cve-icon Vulnrichment

Updated: 2026-04-22T15:52:52.728Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T06:16:03.933

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-22747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:46Z

Weaknesses