Spring Spring Security
15 CVEs affecting Spring Spring Security. Latest disclosed: 2026-04-22. Critical: 1, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-41232 | Critical | 9.1 | 2025-05-21 | Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may… |
CVE-2026-22733 | High | 8.2 | 2026-03-19 | Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication… |
CVE-2026-22754 | High | 7.5 | 2026-04-22 | Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet… |
CVE-2026-22753 | High | 7.5 | 2026-04-22 | Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet… |
CVE-2025-22228 | High | 7.4 | 2025-03-20 | BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are… |
CVE-2024-22234 | High | 7.4 | 2024-02-20 | In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly use… |
CVE-2026-22747 | Medium | 6.8 | 2026-04-22 | Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead… |
CVE-2024-38810 | Medium | 6.5 | 2024-08-20 | Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. |
CVE-2026-22748 | Medium | 5.3 | 2026-04-22 | Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an O… |
CVE-2025-22234 | Medium | 5.3 | 2026-01-22 | The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer… |
CVE-2025-22223 | Medium | 5.3 | 2025-03-24 | Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. … |
CVE-2026-22751 | Medium | 4.8 | 2026-04-21 | Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-c… |
CVE-2019-3795 | Low | 3.8 | 2019-04-09 | Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureR… |
CVE-2026-22746 | Low | 3.7 | 2026-04-22 | Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to… |
CVE-2019-11272 | | 2019-06-26 | Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application usi… |