High severity7.5NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-22753

Description

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.security:spring-security-configMaven	>= 7.0.0, < 7.0.5	7.0.5

Affected products

VMware/Spring Security
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
Range: >=7.0.0,<7.0.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-4wrg-8wpc-h923ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-22753ghsaADVISORY
spring.io/security/cve-2026-22753nvdVendor AdvisoryMitigationWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000