SB20260427181 - Multiple vulnerabilities in Spring Security
Published: April 27, 2026 Updated: April 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-22751)
The vulnerability allows a remote attacker to establish multiple authenticated sessions with a one-time token.
The vulnerability exists due to a time-of-check time-of-use race condition in JdbcOneTimeTokenService when handling concurrent requests to the authentication endpoint. A remote attacker can send concurrent authentication requests using a valid one-time token to establish multiple authenticated sessions with a one-time token.
Only applications that explicitly configure one-time token login with JdbcOneTimeTokenService are vulnerable. The default InMemoryOneTimeTokenService is not affected.
2) Observable discrepancy (CVE-ID: CVE-2026-22746)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable timing discrepancies in DaoAuthenticationProvider when processing authentication requests for disabled, expired, or locked users. A remote attacker can send authentication attempts for different usernames to disclose sensitive information.
The issue is exposed when applications rely on the UserDetails isEnabled, isAccountNonExpired, or isAccountNonLocked attributes to enable, expire, or lock users.
3) Configuration (CVE-ID: CVE-2026-22748)
The vulnerability allows a remote user to modify application integrity checks.
The vulnerability exists due to improper security configuration in NimbusJwtDecoder#withIssuerLocation and NimbusReactiveJwtDecoder#withIssuerLocation when configuring JWT decoding without a separate OAuth2TokenValidator<Jwt>. A remote user can present a JWT with an unexpected issuer to modify application integrity checks.
The issue arises because issuer validation may be assumed to be enabled automatically when using withIssuerLocation.
4) Improper access control (CVE-ID: CVE-2026-22754)
The vulnerability allows a remote attacker to bypass authorization rules.
The vulnerability exists due to improper access control in XML intercept-url authorization rule handling when computing path matching for configured servlet paths. A remote attacker can send a specially crafted request to bypass authorization rules.
The issue occurs when a servlet path is specified with servlet-path in XML authorization rules, causing the related rules not to be exercised.
5) Improper access control (CVE-ID: CVE-2026-22753)
The vulnerability allows a remote attacker to bypass authentication and authorization controls.
The vulnerability exists due to improper access control in HttpSecurity#securityMatchers path matching when matching requests to a filter chain that uses securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend a servlet path. A remote attacker can send a specially crafted request to bypass authentication and authorization controls.
Only applications using securityMatchers(String) together with a PathPatternRequestMatcher.Builder bean to prepend a servlet path are vulnerable.
6) Input validation error (CVE-ID: CVE-2026-22747)
The vulnerability allows a remote user to impersonate another user.
The vulnerability exists due to improper input validation in SubjectX500PrincipalExtractor when processing malformed X.509 certificate CN values. A remote user can present a carefully crafted certificate to impersonate another user.
Exploitation presupposes compromise of a trusted upstream that validates the presented credentials in the pre-authentication flow.
7) Input validation error (CVE-ID: CVE-2026-22752)
The vulnerability allows a remote user to conduct cross-site scripting, escalate privileges, or trigger server-side request forgery.
The vulnerability exists due to improper input validation in dynamic client registration endpoints when processing crafted client metadata fields. A remote user can register a malicious client with crafted metadata to conduct cross-site scripting, escalate privileges, or trigger server-side request forgery.
Only deployments with dynamic client registration explicitly enabled are vulnerable.
8) Protection Mechanism Failure (CVE-ID: CVE-2026-22732)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper security header handling in HTTP response header writing for servlet applications when using lazy writing of HTTP headers. A remote attacker can trigger application responses where the configured security headers are not written to disclose sensitive information.
This issue affects servlet applications that specify HTTP response headers using Spring Security with lazy header writing enabled.
Remediation
Install update from vendor's website.
References
- https://spring.io/security/cve-2026-22751
- https://spring.io/security/cve-2026-22746
- https://spring.io/security/cve-2026-22748
- https://spring.io/security/cve-2026-22754
- https://spring.io/security/cve-2026-22753
- https://spring.io/security/cve-2026-22747
- https://spring.io/security/cve-2026-22752
- https://spring.io/security/cve-2026-22732