High severityNVD Advisory· Published May 11, 2018· Updated Sep 17, 2024
CVE-2018-1258
CVE-2018-1258
Description
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework 5.0.5 with Spring Security allows unauthorized users to bypass method security, accessing restricted methods.
Vulnerability
CVE-2018-1258 is an authorization bypass vulnerability in Spring Framework version 5.0.5 when used in combination with any version of Spring Security [1][2]. The flaw occurs in the method security implementation, allowing unauthorized access to methods that should be restricted.
Exploitation
An attacker with network access and potentially low privileges (e.g., authenticated user) can exploit this by sending crafted requests to bypass security checks on annotated methods [3]. No special privileges are required if the application exposes endpoints without authentication.
Impact
Successful exploitation allows an attacker to gain unauthorized access to restricted methods, potentially leading to privilege escalation, data disclosure, or other malicious actions depending on the context.
Mitigation
The vulnerability is fixed in Spring Framework 5.0.6 and Spring Security 5.0.5 [1]. Users should upgrade immediately. For Oracle products, refer to the July 2018 Critical Patch Update [1]. No known workarounds.
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 5.0.5.RELEASE, < 5.0.6.RELEASE | 5.0.6.RELEASE |
Affected products
2- Pivotal/Spring Frameworkv5Range: 5.0.5
Patches
17b8fa90d96aaAdd accessDeniedHandler method to ExceptionHandlingSpec
2 files changed · +160 −0
config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java+17 −0 modified@@ -171,6 +171,8 @@ public class ServerHttpSecurity { private List<DelegateEntry> defaultEntryPoints = new ArrayList<>(); + private ServerAccessDeniedHandler accessDeniedHandler; + private List<WebFilter> webFilters = new ArrayList<>(); private Throwable built; @@ -526,6 +528,9 @@ public SecurityWebFilterChain build() { exceptionTranslationWebFilter.setAuthenticationEntryPoint( authenticationEntryPoint); } + if(accessDeniedHandler != null) { + exceptionTranslationWebFilter.setAccessDeniedHandler(accessDeniedHandler); + } this.addFilterAt(exceptionTranslationWebFilter, SecurityWebFiltersOrder.EXCEPTION_TRANSLATION); this.authorizeExchange.configure(this); } @@ -793,6 +798,18 @@ public ExceptionHandlingSpec authenticationEntryPoint(ServerAuthenticationEntryP return this; } + /** + * Configures what to do when an authenticated user does not hold a required authority + * @param accessDeniedHandler the access denied handler to use + * @return the {@link ExceptionHandlingSpec} to configure + * + * @since 5.0.5 + */ + public ExceptionHandlingSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler) { + ServerHttpSecurity.this.accessDeniedHandler = accessDeniedHandler; + return this; + } + /** * Allows method chaining to continue configuring the {@link ServerHttpSecurity} * @return the {@link ServerHttpSecurity} to continue configuring
config/src/test/java/org/springframework/security/config/web/server/ExceptionHandlingSpecTests.java+143 −0 added@@ -0,0 +1,143 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.web.server; + +import org.junit.Test; +import org.springframework.http.HttpStatus; +import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder; +import org.springframework.security.test.web.reactive.server.WebTestClientBuilder; +import org.springframework.security.web.server.SecurityWebFilterChain; +import org.springframework.security.web.server.ServerAuthenticationEntryPoint; +import org.springframework.security.web.server.authentication.RedirectServerAuthenticationEntryPoint; +import org.springframework.security.web.server.authorization.HttpStatusServerAccessDeniedHandler; +import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler; +import org.springframework.test.web.reactive.server.WebTestClient; +import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.Credentials.basicAuthenticationCredentials; +import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication; + +/** + * @author Denys Ivano + * @since 5.0.5 + */ +public class ExceptionHandlingSpecTests { + private ServerHttpSecurity http = ServerHttpSecurityConfigurationBuilder.httpWithDefaultAuthentication(); + + @Test + public void defaultAuthenticationEntryPoint() { + SecurityWebFilterChain securityWebFilter = this.http + .csrf().disable() + .authorizeExchange() + .anyExchange().authenticated() + .and() + .exceptionHandling() + .and() + .build(); + + WebTestClient client = WebTestClientBuilder + .bindToWebFilters(securityWebFilter) + .build(); + + client + .get() + .uri("/test") + .exchange() + .expectStatus().isUnauthorized() + .expectHeader().valueMatches("WWW-Authenticate", "Basic.*"); + } + + @Test + public void customAuthenticationEntryPoint() { + SecurityWebFilterChain securityWebFilter = this.http + .csrf().disable() + .authorizeExchange() + .anyExchange().authenticated() + .and() + .exceptionHandling() + .authenticationEntryPoint(redirectServerAuthenticationEntryPoint("/auth")) + .and() + .build(); + + WebTestClient client = WebTestClientBuilder + .bindToWebFilters(securityWebFilter) + .build(); + + client + .get() + .uri("/test") + .exchange() + .expectStatus().isFound() + .expectHeader().valueMatches("Location", ".*"); + } + + @Test + public void defaultAccessDeniedHandler() { + SecurityWebFilterChain securityWebFilter = this.http + .csrf().disable() + .httpBasic().and() + .authorizeExchange() + .anyExchange().hasRole("ADMIN") + .and() + .exceptionHandling() + .and() + .build(); + + WebTestClient client = WebTestClientBuilder + .bindToWebFilters(securityWebFilter) + .filter(basicAuthentication()) + .build(); + + client + .get() + .uri("/admin") + .attributes(basicAuthenticationCredentials("user", "password")) + .exchange() + .expectStatus().isForbidden(); + } + + @Test + public void customAccessDeniedHandler() { + SecurityWebFilterChain securityWebFilter = this.http + .csrf().disable() + .httpBasic().and() + .authorizeExchange() + .anyExchange().hasRole("ADMIN") + .and() + .exceptionHandling() + .accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST)) + .and() + .build(); + + WebTestClient client = WebTestClientBuilder + .bindToWebFilters(securityWebFilter) + .filter(basicAuthentication()) + .build(); + + client + .get() + .uri("/admin") + .attributes(basicAuthenticationCredentials("user", "password")) + .exchange() + .expectStatus().isBadRequest(); + } + + private ServerAuthenticationEntryPoint redirectServerAuthenticationEntryPoint(String location) { + return new RedirectServerAuthenticationEntryPoint(location); + } + + private ServerAccessDeniedHandler httpStatusServerAccessDeniedHandler(HttpStatus httpStatus) { + return new HttpStatusServerAccessDeniedHandler(httpStatus); + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
23- access.redhat.com/errata/RHSA-2019:2413ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-cxrj-66c5-9fmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1258ghsaADVISORY
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlghsax_refsource_CONFIRMWEB
- www.securityfocus.com/bid/104222mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041888mitrevdb-entryx_refsource_SECTRACK
- www.securitytracker.com/id/1041896mitrevdb-entryx_refsource_SECTRACK
- github.com/spring-projects/spring-framework/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f1ghsaWEB
- pivotal.io/security/cve-2018-1258ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20181018-0002ghsaWEB
- security.netapp.com/advisory/ntap-20181018-0002/mitrex_refsource_CONFIRM
- web.archive.org/web/20200227032934/http://www.securityfocus.com/bid/104222ghsaWEB
- web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888ghsaWEB
- web.archive.org/web/20200807033751/http://www.securitytracker.com/id/1041896ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.