Improper access control in Spring Boot - CVE-2026-22731
Published: April 28, 2026
Vulnerability identifier: #VU128374
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-22731
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Spring
Affected software:
Spring Boot
Spring Boot
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication and disclose sensitive information.
The vulnerability exists due to improper access control in Actuator health group additional path handling when processing requests to an application endpoint declared under a path already configured for a health group additional path. A remote attacker can send a specially crafted request to bypass authentication and disclose sensitive information.
Exploitation requires the Actuator dependency to be present, a custom health group to be exposed under an additional path on the main server, and an authenticated application endpoint to be mapped under a subpath of that additional path.
How to mitigate CVE-2026-22731
Install security update from vendor's website.