Description
Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication & Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a flaw in Spring Security’s request matching logic. When an application uses the securityMatchers(String) method together with a PathPatternRequestMatcher.Builder that prepends a servlet path, the resulting request paths can fail to match the intended security filter chain. Consequently, the authentication, authorization, and other security checks that belong to that chain are not executed. An attacker can exploit this mis‑matching to send requests that bypass authentication or authorization checks, gaining unauthorized access to protected resources. The weakness is one of improper authentication and authorization due to a logic error in request path resolution.

Affected Systems

Spring Security versions 7.0.0 through 7.0.4 are affected. The flaw lies in the Spring:Spring Security library. Applications that configure securityMatchers and prepend servlet paths via a PathPatternRequestMatcher.Builder are at risk. No other vendors or products are listed.

Risk and Exploitability

The CVSS base score of 7.5 indicates high impact severity. EPSS data is not available, so the current likelihood of exploitation cannot be quantified, and the issue is not listed in CISA’s KEV catalog. The attack is likely remote, where an attacker can target the application over the network with crafted requests that exploit the mis‑matched paths. The flaw does not require elevated privileges or code execution; it simply allows bypass of authentication and authorization controls. While no public exploit has been reported, the combination of broad version impact and high severity suggests that patching should occur promptly.

Generated by OpenCVE AI on April 22, 2026 at 07:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Spring Security update (7.0.5+) or a later version that contains the fix for CVE-2026-22753.
  • If upgrading immediately is not possible, review the configuration of securityMatchers and any PathPatternRequestMatcher.Builder beans; remove or adjust the servlet path prepending so that request paths are correctly matched to the appropriate security filter chain.
  • Verify that authentication and authorization handlers remain active for all critical endpoints by running functional tests or a security assessment, and monitor logs for any unexpected unauthenticated requests after the change.

Generated by OpenCVE AI on April 22, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-22753 cve-icon cve-icon
History

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-279
CWE-290

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Title Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Spring Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-22T15:59:59.319Z

Reserved: 2026-01-09T06:55:03.991Z

Link: CVE-2026-22753

cve-icon Vulnrichment

Updated: 2026-04-22T15:44:39.912Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T06:16:04.160

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-22753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:43Z

Weaknesses