Missing Authorization When Using @AuthorizeReturnObject
Description
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Spring Security 6.3.0 and 6.3.1, method security annotations may become ineffective on objects wrapped with @AuthorizeReturnObject under specific conditions, leading to missing authorization.
Vulnerability
Overview
CVE-2024-38810 describes a missing authorization scenario in Spring Security versions 6.3.0 and 6.3.1 when using the @AuthorizeReturnObject annotation or the AuthorizationAdvisorProxyFactory bean. Under certain conditions, the method security advice — including annotations like @PreFilter, @PostFilter, @PreAuthorize, and @PostAuthorize — may not be applied to wrapped objects, rendering them ineffective [1].
Exploitation
Conditions
For exploitation to occur, all of the following must be true simultaneously: AnnotationAwareAspectJAutoProxyCreator must be the auto-proxy creator (either declaratively or via @EnableAspectJAutoProxy), the application context must contain at least one FactoryBean, method security must be enabled with @EnableMethodSecurity, objects must be wrapped using @AuthorizeReturnObject or the AuthorizationAdvisorProxyFactory bean, and the wrapped objects must use @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize annotations [1]. If any of these conditions are not met, the application is not impacted.
Impact
An attacker could potentially bypass authorization checks on methods of the wrapped objects. Since security annotations become ineffective, methods that should be protected (e.g., requiring specific roles or permissions) may be executed without proper authorization, leading to unauthorized access to data or functionality [1].
Mitigation
Spring Security has addressed this vulnerability in versions 6.3.2 and later. Users are advised to upgrade to a fixed version. No workaround is available for affected configurations, but many applications are not vulnerable if they do not meet all the stated conditions [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 6.3.0, < 6.3.2 | 6.3.2 |
Affected products
2- spring/spring securityv5Range: 6.3.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-hmqf-wpq9-jq83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38810ghsaADVISORY
- spring.io/security/cve-2024-38810ghsaWEB
News mentions
0No linked articles in our index yet.