High severity8.2NVD Advisory· Published Mar 20, 2026· Updated Apr 23, 2026
CVE-2026-22733
CVE-2026-22733
Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 4.0.0-M1, < 4.0.4 | 4.0.4 |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.5.0, < 3.5.12 | 3.5.12 |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.4.0, <= 3.4.13 | — |
org.springframework.boot:spring-boot-starter-actuatorMaven | >= 3.0.0, <= 3.3.13 | — |
org.springframework.boot:spring-boot-starter-actuatorMaven | <= 2.7.18 | — |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/apache-nifi-registrypkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/wolfi/apache-nifi-registrypkg:maven/org.springframework.boot/spring-boot-starter-actuator
< 2.8.0-r3+ 6 more
- (no CPE)range: < 2.8.0-r3
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 8.6.39-r0
- (no CPE)range: < 8.7.27-r0
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 2.8.0-r3
- (no CPE)range: >= 4.0.0-M1, < 4.0.4
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-mgvc-8q2h-5pgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22733ghsaADVISORY
- spring.io/security/cve-2026-22733nvdVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.