Critical severity9.1NVD Advisory· Published Mar 19, 2026· Updated Apr 16, 2026
CVE-2026-22732
CVE-2026-22732
Description
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:
: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-webMaven | <= 5.7.14 | — |
org.springframework.security:spring-security-webMaven | >= 5.8.0, <= 5.8.16 | — |
org.springframework.security:spring-security-webMaven | >= 6.0.0, <= 6.3.10 | — |
org.springframework.security:spring-security-webMaven | >= 6.4.0, <= 6.4.13 | — |
org.springframework.security:spring-security-webMaven | >= 6.5.0, < 6.5.9 | 6.5.9 |
org.springframework.security:spring-security-webMaven | >= 7.0.0, < 7.0.4 | 7.0.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mf92-479x-3373ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22732ghsaADVISORY
- spring.io/security/cve-2026-22732nvdVendor AdvisoryExploitWEB
News mentions
0No linked articles in our index yet.