CVE-2018-1260
Description
Spring Security OAuth versions before 2.3.3, 2.2.2, 2.1.2, and 2.0.15 allow remote code execution via a crafted authorization request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security OAuth versions before 2.3.3, 2.2.2, 2.1.2, and 2.0.15 allow remote code execution via a crafted authorization request.
Vulnerability
Spring Security OAuth contains a remote code execution vulnerability in the authorization endpoint. Versions affected are 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15, and older unsupported versions [1]. A malicious user can craft an authorization request that causes remote code execution when the resource owner is forwarded to the approval endpoint.
Exploitation
An attacker crafts a malicious authorization request and sends it to the authorization endpoint. No authentication is required to send the request. When the resource owner (user) is subsequently forwarded to the approval endpoint, the crafted payload triggers remote code execution [1]. The exact mechanism is not detailed in public references.
Impact
Successful exploitation leads to remote code execution, allowing the attacker to execute arbitrary code on the server. This can result in complete compromise of confidentiality, integrity, and availability. The vulnerability has been rated as Critical/Important in Red Hat advisories [3][4].
Mitigation
The fix is to upgrade to secure versions: 2.3.3, 2.2.2, 2.1.2, or 2.0.15 [1]. The Spring Security OAuth project is no longer actively maintained and has been replaced by Spring Security's built-in OAuth2 support and Spring Authorization Server [2]. Users are advised to migrate to these replacements. Red Hat has released patches for Red Hat OpenShift Application Runtimes [4] and Red Hat FIS [3] that include the fix.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.3.0, < 2.3.3 | 2.3.3 |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.2.0, < 2.2.2 | 2.2.2 |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.1.0, < 2.1.2 | 2.1.2 |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.0.0, < 2.0.15 | 2.0.15 |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 1.0.0, <= 1.0.5 | — |
Affected products
2- ghsa-coordsRange: >= 2.3.0, < 2.3.3
- Pivotal/Spring Security OAuthv5Range: 2.3 prior to 2.3.3; 2.2 prior to 2.2.2; 2.1 prior to 2.1.2; 2.0 prior to 2.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2018:1809ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2018:2939ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-rrpm-pj7p-7j9qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1260ghsaADVISORY
- www.securityfocus.com/bid/104158mitrevdb-entryx_refsource_BID
- pivotal.io/security/cve-2018-1260ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227123539/http://www.securityfocus.com/bid/104158ghsaWEB
News mentions
0No linked articles in our index yet.