Improper access control in Spring Boot - CVE-2026-22733
Published: April 28, 2026
Vulnerability identifier: #VU128371
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-22733
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Spring
Affected software:
Spring Boot
Spring Boot
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and disclose sensitive information.
The vulnerability exists due to improper access control in application endpoints declared under the CloudFoundry Actuator path when handling requests to authenticated application endpoints mapped beneath that path. A remote attacker can send a request to the affected endpoint to bypass authentication and disclose sensitive information.
The issue occurs only when an authenticated application endpoint is exposed under a subpath used by the CloudFoundry Actuator endpoints.
How to mitigate CVE-2026-22733
Install security update from vendor's website.