Description
Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication & Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

The flaw arises when Spring Security’s request matching logic fails to include the servlet path when securityMatchers(String) is used together with a PathPatternRequestMatcher.Builder, causing intended security filter chains to be ignored. As a result, authentication, authorization, and other security checks are not executed for certain requests. This represents weaknesses in Incorrect URL Mapping (CWE‑551) and Security Misconfiguration (CWE‑693).

Affected Systems

Spring Security versions 7.0.0 through 7.0.4 are affected. Any application that configures securityMatchers and prepends a servlet path using a PathPatternRequestMatcher.Builder while running one of those versions is at risk. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.5 signals high impact severity, while the EPSS score of < 1% indicates a very low but non‑zero likelihood that the vulnerability will be actively exploited. It is not yet listed in CISA’s KEV catalog. The likely attack vector is remote HTTP requests; based on the description, it is inferred that an attacker can craft requests that bypass authentication or authorization checks by taking advantage of the mis‑matched paths. The flaw does not require code execution or elevated privileges and would simply allow unauthorized access to protected resources if not mitigated.

Generated by OpenCVE AI on April 29, 2026 at 00:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Spring Security to version 7.0.5 or later, which includes the fix for CVE-2026-22753.
  • If an upgrade cannot be performed immediately, review and modify the securityMatchers configuration and any PathPatternRequestMatcher.Builder beans so that servlet paths are not prepended, ensuring request paths match the correct security filter chain.
  • After configuration changes, validate that authentication and authorization handlers remain active for all critical endpoints through functional tests and monitor application logs for any unexpected unauthenticated requests.

Generated by OpenCVE AI on April 29, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wrg-8wpc-h923 Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers
History

Tue, 28 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-279
CWE-290

Sat, 25 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 24 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Security
CPEs cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Security

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-279
CWE-290

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Title Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Spring Spring Security
Vmware Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-22T15:59:59.319Z

Reserved: 2026-01-09T06:55:03.991Z

Link: CVE-2026-22753

cve-icon Vulnrichment

Updated: 2026-04-22T15:44:39.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T06:16:04.160

Modified: 2026-04-24T14:17:02.280

Link: CVE-2026-22753

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T05:20:31Z

Links: CVE-2026-22753 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses