Description
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.

Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.

Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass flaw allows unauthenticated users to trigger framework initialization by accessing the /VAADIN endpoint without a trailing slash. This bypass permits the creation of HTTP sessions without proper authorization, exposing the application to unauthorized access for session establishment and potentially sensitive data exposure. The weakness is rooted in improper privilege management (CWE-284) and path handling inconsistencies (CWE-551). The result is that any actor who can reach the vulnerable URL can obtain a session token and subsequently use that session for further interactions without needing valid credentials.

Affected Systems

Vaadin Flow 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7, and 25.0.0 through 25.0.1 are affected when Spring Security is in use. Versions 10-13 and 15-22 are no longer supported and should be upgraded to the latest 14, 23, 24, or 25 series. The effect targets applications configured to serve the /VAADIN path as a reserved framework route.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation as of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this through normal web requests to the /VAADIN endpoint without a slash, creating a session without authentication. No additional credentials or system privileges are required beyond network connectivity to the application.

Generated by OpenCVE AI on May 7, 2026 at 19:28 UTC.

Remediation

Vendor Solution

Users of affected versions should apply the following mitigation or upgrade.

OpenCVE Recommended Actions

  • Upgrade Vaadin to 14.14.1 or later, 23.6.7 or later, 24.9.8 or later, or 25.0.2 or newer for Spring Security users.
  • Ensure that the /VAADIN endpoint is covered by authentication rules or a trailing‑slash requirement in your Spring Security configuration to block unauthenticated access.
  • After updating dependencies, redeploy the application and verify that session creation does not occur for unauthenticated requests.

Generated by OpenCVE AI on May 7, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rjgh-wgc7-m37j Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash
History

Thu, 07 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Vaadin
Vaadin flow
Vaadin vaadin
Vendors & Products Vaadin
Vaadin flow
Vaadin vaadin

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
References

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Title Unauthorized session creation via reserved framework path access
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber'}

Subscriptions

Vaadin Flow Vaadin
cve-icon MITRE

Status: PUBLISHED

Assigner: Vaadin

Published:

Updated: 2026-03-16T10:52:30.637Z

Reserved: 2026-02-19T12:00:12.056Z

Link: CVE-2026-2742

cve-icon Vulnrichment

Updated: 2026-03-10T13:43:04.142Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:49.410

Modified: 2026-05-07T18:40:35.867

Link: CVE-2026-2742

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T12:08:48Z

Links: CVE-2026-2742 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T19:30:27Z

Weaknesses