SecuriTricks - CVE-2026-22748

Description

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Product(s) Impacted

Vendor	Product	Versions
Spring	Spring Security	6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.9, 7.0.0-7.0.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	spring	spring_security	6.3.0-6.3.14	/	/	/	/	/	/	/
a	spring	spring_security	6.4.0-6.4.14	/	/	/	/	/	/	/
a	spring	spring_security	6.5.0-6.5.9	/	/	/	/	/	/	/
a	spring	spring_security	7.0.0-7.0.4	/	/	/	/	/	/	/

References

https://spring.io/security/cve-2026-22748

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

View Vector String

Timeline

Published: April 22, 2026, 6:16 a.m.
Last Modified: April 22, 2026, 9:23 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-22748