Description
Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

Spring Security’s NimbusJwtDecoder and NimbusReactiveJwtDecoder parse JSON Web Tokens but can leave critical checks unperformed unless a developer explicitly configures an OAuth2TokenValidator<Jwt>. When this step is omitted, the library does not enforce signature verification, issuer validation, or expiration checks, allowing a forged or expired token to be accepted and granting unauthorised access. The weakness stems from missing configuration and improper input validation, as reflected by CWE‑20 and CWE‑347, indicating input validation errors and protocol convention violations.

Affected Systems

Spring Security versions 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4 are affected. All other releases are not impacted by this misconfiguration.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score of < 1% suggests a very low probability of exploitation. The vulnerability is not listed in the KEV catalog, further indicating limited public exploitation. The likely attack vector involves an attacker who can influence application configuration—typically a developer or system administrator—so the risk is higher in environments where such access is possible, rather than from a remote attacker without deployment privileges.

Generated by OpenCVE AI on April 29, 2026 at 02:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the newest released version of Spring Security that includes mandatory token validation (any release beyond the affected ranges, starting with 6.3.15, 6.4.15, 6.5.10, or 7.0.5).
  • If an immediate upgrade is not possible, modify the decoder configuration to invoke setJwtValidator and supply a DelegatingOAuth2TokenValidator that enforces signature, expiration, and issuer checks.
  • As a temporary safeguard, add a programmatic default validator that layers timestamp and issuer validation when the application uses the decoder without an explicit validator, thereby preventing forged tokens until a permanent upgrade is applied.

Generated by OpenCVE AI on April 29, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cvc6-q2cp-2xhw Spring Security has Potential Security Misconfiguration when Using withIssuerLocation
History

Wed, 29 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-749
CWE-863

Sat, 25 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-347
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Security
CPEs cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Security

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-749
CWE-863

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Title Potential Security Misconfiguration when Using withIssuerLocation
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Spring Spring Security
Vmware Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-22T16:00:09.573Z

Reserved: 2026-01-09T06:55:03.990Z

Link: CVE-2026-22748

cve-icon Vulnrichment

Updated: 2026-04-22T15:46:49.013Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T06:16:04.040

Modified: 2026-04-24T14:18:17.413

Link: CVE-2026-22748

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T05:15:03Z

Links: CVE-2026-22748 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses