SecuriTricks - CVE-2026-22732

Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Product(s) Impacted

Vendor	Product	Versions
Spring Project	Spring Security	5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-425

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	spring_project	spring_security	5.7.0-5.7.21	/	/	/	/	/	/	/
a	spring_project	spring_security	5.8.0-5.8.23	/	/	/	/	/	/	/
a	spring_project	spring_security	6.3.0-6.3.14	/	/	/	/	/	/	/
a	spring_project	spring_security	6.4.0-6.4.14	/	/	/	/	/	/	/
a	spring_project	spring_security	6.5.0-6.5.8	/	/	/	/	/	/	/
a	spring_project	spring_security	7.0.0-7.0.3	/	/	/	/	/	/	/

References

https://spring.io/security/cve-2026-22732

CVSS Score

9.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

View Vector String

Timeline

Published: March 19, 2026, 11:16 p.m.
Last Modified: March 20, 2026, 3:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-22732