Spring Boot Admins integrated notifier support allows arbitrary code execution
Description
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on /env actuator endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Boot Admin Server allows arbitrary code execution via SpEL injection in notifier templates when attackers modify environment variables through the UI.
Vulnerability
Analysis
CVE-2022-46166 is an arbitrary code execution vulnerability in Spring Boot Admin Server, an open-source administrative UI for managing Spring Boot applications [1]. The flaw resides in the notifier component, which sends alerts (e.g., Teams-Notifier). When a user with write access to environment variables via the UI modifies a Spring Boot application's environment, the notifier's template engine evaluates user-controlled input without proper sanitization, leading to SpEL (Spring Expression Language) injection [2].
Exploitation
To exploit this vulnerability, an attacker must have write access to the /env actuator endpoint through the Admin UI, and at least one notifier must be enabled. The attacker can then set an environment variable containing a malicious SpEL expression. When the notifier processes an event, it evaluates the expression, resulting in arbitrary code execution on the server [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the Spring Boot Admin Server. This can lead to full compromise of the server, including data exfiltration, lateral movement, or disruption of monitored applications [2].
Mitigation
The vulnerability is fixed in Spring Boot Admin versions 2.6.10 and 2.7.8 by implementing a SimpleExecutionContext for SpEL, which prevents injection [2]. Users unable to upgrade should disable any notifier or disable write access (POST requests) on the /env actuator endpoint as a workaround [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
de.codecentric:spring-boot-adminMaven | < 2.6.10 | 2.6.10 |
de.codecentric:spring-boot-adminMaven | >= 2.7.0, < 2.7.8 | 2.7.8 |
de.codecentric:spring-boot-adminMaven | >= 3.0.0-M1, < 3.0.0-M6 | 3.0.0-M6 |
Affected products
3<2.6.10,<2.7.8+ 1 more
- (no CPE)range: <2.6.10,<2.7.8
- (no CPE)range: < 2.6.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w3x5-427h-wfq6ghsaADVISORY
- github.com/codecentric/spring-boot-admin/commit/c14c3ec12533f71f84de9ce3ce5ceb7991975f75mitrex_refsource_MISC
- github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.