High severity8.2NVD Advisory· Published Mar 19, 2026· Updated Apr 16, 2026
CVE-2026-22731
CVE-2026-22731
Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.4.0, <= 3.4.13 | — |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.5.0, < 3.5.12 | 3.5.12 |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 4.0.0-M1, < 4.0.4 | 4.0.4 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/apache-nifi-registrypkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/wolfi/apache-nifi-registrypkg:maven/org.springframework.boot/spring-boot-starter-actuator
< 2.8.0-r3+ 6 more
- (no CPE)range: < 2.8.0-r3
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 8.6.39-r0
- (no CPE)range: < 8.7.27-r0
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 2.8.0-r3
- (no CPE)range: >= 3.4.0, <= 3.4.13
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-8hfc-fq58-r658ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22731ghsaADVISORY
- spring.io/security/cve-2026-22731nvdVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.