Maven package
org.springframework.security/spring-security-oauth2-jose
pkg:maven/org.springframework.security/spring-security-oauth2-jose
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22748 | Med | 5.3 | >= 6.3.0, <= 6.3.14 | — | Apr 22, 2026 | Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3. | |
| CVE-2018-15801 | — | >= 5.1.0, < 5.1.2 | 5.1.2 | Dec 19, 2018 | Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could f |
- affected >= 6.3.0, <= 6.3.14
Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.
- CVE-2018-15801Dec 19, 2018affected >= 5.1.0, < 5.1.2fixed 5.1.2
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could f