Protection Mechanism Failure in Spring Security - CVE-2026-22732
Published: April 28, 2026
Vulnerability identifier: #VU128373
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-22732
CWE-ID: CWE-693
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Spring Security
Spring Security
Software vendor:
VMware, Inc
VMware, Inc
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper security header handling in HTTP response header writing for servlet applications when using lazy writing of HTTP headers. A remote attacker can trigger application responses where the configured security headers are not written to disclose sensitive information.
This issue affects servlet applications that specify HTTP response headers using Spring Security with lazy header writing enabled.
Remediation
Install security update from vendor's website.