High severity8.2NVD Advisory· Published Mar 20, 2026· Updated Apr 23, 2026
CVE-2026-22733
CVE-2026-22733
Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 4.0.0-M1, < 4.0.4 | 4.0.4 |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.5.0, < 3.5.12 | 3.5.12 |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.4.0, <= 3.4.13 | — |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.0.0, <= 3.3.13 | — |
org.springframework.boot:spring-boot-starter-actuatorMaven | <= 2.7.18 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mgvc-8q2h-5pgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22733ghsaADVISORY
- spring.io/security/cve-2026-22733nvdVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.