SB20260428205 - Multiple vulnerabilities in Spring Boot

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-22733)

The vulnerability allows a remote attacker to bypass authentication and disclose sensitive information.

The vulnerability exists due to improper access control in application endpoints declared under the CloudFoundry Actuator path when handling requests to authenticated application endpoints mapped beneath that path. A remote attacker can send a request to the affected endpoint to bypass authentication and disclose sensitive information.

The issue occurs only when an authenticated application endpoint is exposed under a subpath used by the CloudFoundry Actuator endpoints.

2) Improper access control (CVE-ID: CVE-2026-22731)

The vulnerability allows a remote attacker to bypass authentication and disclose sensitive information.

The vulnerability exists due to improper access control in Actuator health group additional path handling when processing requests to an application endpoint declared under a path already configured for a health group additional path. A remote attacker can send a specially crafted request to bypass authentication and disclose sensitive information.

Exploitation requires the Actuator dependency to be present, a custom health group to be exposed under an additional path on the main server, and an authenticated application endpoint to be mapped under a subpath of that additional path.

Remediation

Install update from vendor's website.

References

• https://spring.io/security/cve-2026-22733
• https://spring.io/security/cve-2026-22731