Main Vulnerability Database Vulnerabilities #VU128225

Configuration in Spring Security - CVE-2026-22748

Published: April 27, 2026

Vulnerability identifier: #VU128225

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22748

CWE-ID: CWE-16

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Spring Security

Software vendor:
VMware, Inc

Description

The vulnerability allows a remote user to modify application integrity checks.

The vulnerability exists due to improper security configuration in NimbusJwtDecoder#withIssuerLocation and NimbusReactiveJwtDecoder#withIssuerLocation when configuring JWT decoding without a separate OAuth2TokenValidator<Jwt>. A remote user can present a JWT with an unexpected issuer to modify application integrity checks.

The issue arises because issuer validation may be assumed to be enabled automatically when using withIssuerLocation.

Remediation

Install security update from vendor's website.

External links

https://spring.io/security/cve-2026-22748

Configuration in Spring Security - CVE-2026-22748

Description

Remediation

External links

Please verify you're human