CVE-2022-31692
Description
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security 5.6.x and 5.7.x vulnerable to authorization bypass when using AuthorizationFilter with forward/include dispatcher types.
Vulnerability
Overview Spring Security versions 5.7.0 to 5.7.4 and 5.6.0 to 5.6.8 are susceptible to an authorization rules bypass when using the AuthorizationFilter (used via authorizeHttpRequests()) and configuring the filter chain to apply to forward and include dispatcher types [1][2]. The root cause is that under certain configurations, security constraints are not properly enforced on forwarded or included requests, allowing a request to be dispatched to a higher-privilege endpoint without the required authorization checks.
Exploitation
Conditions Exploitation requires several conditions: the application must use AuthorizationFilter (either manually or via authorizeHttpRequests()), must configure FilterChainProxy to apply to forward and/or include dispatcher types (e.g., via spring.security.filter.dispatcher-types), and must set shouldFilterAllDispatcherTypes(true) [1][2]. Additionally, the application must forward or include the request to a higher privilege-secured endpoint. If any of these conditions are not met, the application is not vulnerable.
Impact
An attacker who can trigger a forward or include dispatch (e.g., by crafting a request that leads to server-side forwarding) can bypass authorization rules and access endpoints that require higher privileges. This could lead to unauthorized access to sensitive functionality or data. The vulnerability does not require authentication but relies on the ability to trigger a dispatch.
Mitigation
The vulnerability is fixed in Spring Security 5.7.5 and 5.6.9 [2]. Users unable to upgrade can apply a workaround: for 5.7.x, use authorizeRequests().filterSecurityInterceptorOncePerRequest(false) instead of shouldFilterAllDispatcherTypes(true). For versions earlier than 5.7.0, an ObjectPostProcessor can be added to configure the filter appropriately [2]. The Spring Security GitHub repository contains the source code for the affected versions [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 5.7.0, < 5.7.5 | 5.7.5 |
org.springframework.security:spring-security-coreMaven | >= 5.6.0, < 5.6.9 | 5.6.9 |
Affected products
2- Spring/Spring Securitydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.