Description
Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

The vulnerability in Spring Security allows an attacker to bypass authorization controls because the servlet-path is omitted when computing the path matcher for XML based authorization rules. This flaw means that requests matching the specified pattern are not subjected to the intended access restrictions, potentially enabling unauthorized access to protected resources.

Affected Systems

The flaw affects applications built with Spring Security versions 7.0.0 through 7.0.4. The issue arises when the <sec:intercept-url> element uses a servlet-path attribute (e.g., servlet-path="/servlet-path") in combination with a pattern such as "/endpoint/".

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability poses a high baseline risk. No EPSS score is available and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests that match the defined pattern, allowing attackers to locate resources that should be protected. The severity and absence of publicly available exploits suggest that the risk is moderate to high and organizations using affected Spring Security versions should prioritize remediation.

Generated by OpenCVE AI on April 22, 2026 at 07:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring Security 7.0.5 or later, which contains the path matcher fix.
  • Revise or remove any <sec:intercept-url> entries that rely on servlet-path and pattern combinations and instead use explicit path definitions.
  • Validate application functionality and run access control tests to confirm that authorization checks are enforced after the upgrade.

Generated by OpenCVE AI on April 22, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-22754 cve-icon cve-icon
History

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Title ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Spring Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-22T15:59:52.492Z

Reserved: 2026-01-09T06:55:03.991Z

Link: CVE-2026-22754

cve-icon Vulnrichment

Updated: 2026-04-22T15:44:19.919Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T06:16:04.270

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-22754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:42Z

Weaknesses