What is CVE-2026-22733?

CVE-2026-22733 is a high-severity vulnerability in Spring Security, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 8.2/10. Published 2026-03-19.

How severe is CVE-2026-22733?

High severity. CVSS v3 base score is 8.2 out of 10.

Vulnerability in Spring Security

CVE-2026-22733

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This iss…

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.

Affected products

Spring Security — versions 4.0.0, 3.5.0, 3.4.0

Weakness classification (CWE)

CWE-288 — Authentication Bypass Using an Alternate Path or Channel

References

spring.io/security/cve-2026-22733

Frequently asked questions

What is CVE-2026-22733?: CVE-2026-22733 is a high-severity vulnerability in Spring Security, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 8.2/10. Published 2026-03-19.
How severe is CVE-2026-22733?: High severity. CVSS v3 base score is 8.2 out of 10.