What is CVE-2026-22732?

CVE-2026-22732 is a critical-severity vulnerability in Vmware Spring Security. CVSS score: 9.1/10. Published 2026-03-19.

How severe is CVE-2026-22732?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2026-22732 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Vmware Spring Security

CVE-2026-22732

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (defaul…

EPSS: 0.000 (8.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Vmware Spring Security — versions 5.7.0, 5.8.0, 6.3.0

Public proof-of-concept exploits

semgrep/cve-2026-22732-demo

References

spring.io/security/cve-2026-22732

Frequently asked questions

What is CVE-2026-22732?: CVE-2026-22732 is a critical-severity vulnerability in Vmware Spring Security. CVSS score: 9.1/10. Published 2026-03-19.
How severe is CVE-2026-22732?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2026-22732 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.