Critical severity9.1NVD Advisory· Published Mar 19, 2026· Updated Apr 16, 2026
CVE-2026-22732
CVE-2026-22732
Description
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:
: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-webMaven | <= 5.7.14 | — |
org.springframework.security:spring-security-webMaven | >= 5.8.0, <= 5.8.16 | — |
org.springframework.security:spring-security-webMaven | >= 6.0.0, <= 6.3.10 | — |
org.springframework.security:spring-security-webMaven | >= 6.4.0, <= 6.4.13 | — |
org.springframework.security:spring-security-webMaven | >= 6.5.0, < 6.5.9 | 6.5.9 |
org.springframework.security:spring-security-webMaven | >= 7.0.0, < 7.0.4 | 7.0.4 |
Affected products
25- osv-coords24 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-registrypkg:apk/chainguard/apache-nifi-registry-toolkitpkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/chainguard/jenkins-2.541pkg:apk/chainguard/jenkins-2.541-openjdk-17pkg:apk/chainguard/jenkins-2.541-openjdk-21pkg:apk/chainguard/jenkins-2-openjdk-21pkg:apk/chainguard/jenkins-2-openjdk-25pkg:apk/chainguard/kafbat-uipkg:apk/chainguard/kafbat-ui-fipspkg:apk/chainguard/nacospkg:apk/chainguard/nacos-dockerpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-registrypkg:apk/wolfi/apache-nifi-registry-toolkitpkg:apk/wolfi/jenkins-2-openjdk-21pkg:apk/wolfi/jenkins-2-openjdk-25pkg:apk/wolfi/thingsboard-tb-nodepkg:maven/org.springframework.security/spring-security-web
< 2.8.0-r5+ 23 more
- (no CPE)range: < 2.8.0-r5
- (no CPE)range: < 2.8.0-r2
- (no CPE)range: < 2.8.0-r2
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 8.6.39-r0
- (no CPE)range: < 8.7.27-r0
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 2.541.3-r2
- (no CPE)range: < 2.541.3-r2
- (no CPE)range: < 2.541.3-r2
- (no CPE)range: < 2.555-r3
- (no CPE)range: < 2.555-r3
- (no CPE)range: < 1.4.2-r6
- (no CPE)range: < 1.4.2-r5
- (no CPE)range: < 3.2.0-r1
- (no CPE)range: < 3.2.0-r1
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: < 2.8.0-r5
- (no CPE)range: < 2.8.0-r2
- (no CPE)range: < 2.8.0-r2
- (no CPE)range: < 2.555-r3
- (no CPE)range: < 2.555-r3
- (no CPE)range: < 4.3.1.1-r0
- (no CPE)range: <= 5.7.14
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-mf92-479x-3373ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22732ghsaADVISORY
- spring.io/security/cve-2026-22732nvdVendor AdvisoryExploitWEB
News mentions
7- ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and MoreThe Hacker News · Jun 15, 2026
- Ivanti, Fortinet, and SAP Release Patches for Multiple Critical VulnerabilitiesThe Hacker News · Jun 10, 2026
- SAP fixes critical flaws in NetWeaver and Commerce CloudBleepingComputer · Jun 9, 2026
- SAP Patches Critical NetWeaver, Commerce VulnerabilitiesSecurityWeek · Jun 9, 2026
- SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver PatchedCyber Security News · Jun 9, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check.BleepingComputer · May 5, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools MissBleepingComputer · May 5, 2026