CVE-2026-2742

March 11, 2026, 1:53 p.m.

5.3
Medium

Description

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Product(s) Impacted

Vendor Product Versions
Vaadin
  • Vaadin
  • 14.0.0-14.14.0, 23.0.0-23.6.6, 24.0.0-24.9.7, 25.0.0-25.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a vaadin vaadin 14.0.0-14.14.0 / / / / / / /
a vaadin vaadin 23.0.0-23.6.6 / / / / / / /
a vaadin vaadin 24.0.0-24.9.7 / / / / / / /
a vaadin vaadin 25.0.0-25.0.1 / / / / / / /

References

https://github.com/vaadin/flow/pull/22998
https://github.com/vaadin/flow/pull/23033
https://github.com/vaadin/flow/pull/23034
https://github.com/vaadin/flow/pull/23037
https://github.com/vaadin/flow/pull/23052
https://github.com/vaadin/flow/pull/23057
https://vaadin.com/security/cve-2026-2742

Tags

CWE-284
[email protected]
2026-03-10
CVE-2026-2742

CVSS Score

5.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: LOW
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Amber

    View Vector String

Timeline

Published: March 10, 2026, 6:18 p.m.
Last Modified: March 11, 2026, 1:53 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.