Threat Advisory

Critical Spring Security Vulnerability Exposes Authorization Bypass

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the widely used authentication and authorization framework, Spring Security 7.0. The issues range from critical metadata validation failures to authorization bypasses, necessitating immediate attention from developers and system administrators. The most severe of the disclosures is CVE-2026-22752, carrying a CVSS score of 9.6, while two authorization bypass flaws, CVE-2026-22754 and CVE-2026-22753, are rated 8.1. These vulnerabilities pose a significant business risk, potentially leading to Stored Cross-Site Scripting, Privilege Escalation, or Server-Side Request Forgery, as well as unauthorized access through X.509 Impersonation and User Attribute Enumeration.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the widely used authentication and authorization framework, Spring Security 7.0. The issues range from critical metadata validation failures to authorization bypasses, necessitating immediate attention from developers and system administrators. The most severe of the disclosures is CVE-2026-22752, carrying a CVSS score of 9.6, while two authorization bypass flaws, CVE-2026-22754 and CVE-2026-22753, are rated 8.1. These vulnerabilities pose a significant business risk, potentially leading to Stored Cross-Site Scripting, Privilege Escalation, or Server-Side Request Forgery, as well as unauthorized access through X.509 Impersonation and User Attribute Enumeration.[emaillocker id="1283"]

  • CVE-2026-22752 with a CVSS score of 9.6 – This vulnerability resides in the Spring Security Authorization Server when Dynamic Client Registration is enabled, allowing an attacker with a valid Initial Access Token to register a malicious client, leading to Stored Cross-Site Scripting (XSS), Privilege Escalation, or Server-Side Request Forgery.
  • CVE-2026-22754 with a CVSS score of 8.1 – XML authorization rules fail to correctly include the servlet path in path matching, meaning intended security controls may not be exercised.
  • CVE-2026-22753 with a CVSS score of 8.1 – A similar issue occurs in HttpSecurity#securityMatchers when using a PathPatternRequestMatcher.Builder to prepend a servlet path.
  • CVE-2026-22747 – The SubjectX500PrincipalExtractor fails to correctly handle certain malformed Common Name (CN) values in certificates, potentially leading to the framework reading the wrong username, allowing an attacker to impersonate another user.
  • CVE-2026-22746 – A timing attack defense bypass in the DaoAuthenticationProvider allows an attacker to determine if a user is disabled, expired, or locked.
  • CVE-2026-22751 – Applications using JdbcOneTimeTokenService are vulnerable to a TOCTOU (Time-of-check Time-of-use) race condition, which can be exploited by an attacker sending concurrent requests to establish several authenticated sessions.
  • CVE-2026-22748 – A potential security misconfiguration exists when using withIssuerLocation for JWT decoding, potentially allowing attackers to bypass security measures.

The identified vulnerabilities pose a significant risk to businesses, potentially leading to unauthorized access, data breaches, and system compromise. It is crucial that affected versions of Spring Security are upgraded immediately to prevent exploitation of these vulnerabilities.

RECOMMENDATION:

We recommend you to update Spring Security to below versions:

  • Spring Security 7.0.x users should upgrade to 7.0.5.
  • Spring Security 6.5.x users should upgrade to 6.5.10.
  • Spring Security 6.4.x users should upgrade to 6.4.16.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/spring-security-7-0-vulnerabilities-authorization-bypass-cve-2026-22752/

[/emaillocker]
crossmenu