Spring Product Security Update Advisory

overview

We have released security updates that address vulnerabilities in Spring products. users of affected products are encouraged to update to the latest version.

affected products

CVE-2026-22731

Spring Boot version: 4.0.0 or higher and 4.0.3 or lower
Spring Boot version: 3.5.0 or later and 3.5.11 or earlier
Spring Boot version: 3.4.0 or later and 3.4.14 or earlier

CVE-2026-22732

Spring Security version: 5.7.0 or later and 5.7.21 or earlier
Spring Security version: 5.8.0 or later and 5.8.23 or earlier
Spring Security version: 6.3.0 or later and 6.3.14 or earlier
Spring Security version: 6.4.0 or later 6.4.14 or earlier
Spring Security version: 6.5.0 or later and 6.5.8 or earlier
Spring Security version: 7.0.0 or later 7.0.3 or earlier

CVE-2026-22733

Spring Boot version: 4.0.0 or later and 4.0.3 or earlier
Spring Boot version: 3.5.0 or later and 3.5.11 or earlier
Spring Boot version: 3.4.0 or later and 3.4.14 or earlier
Spring Boot version: 3.3.0 or later and 3.3.17 or earlier
Spring Boot version: 2.7.0 or later 2.7.31 or earlier

resolved vulnerabilities

Authentication bypass vulnerability in the Actuator Health group path (CVE-2026-22731)
Vulnerability in Spring Security due to HTTP response headers not being crafted under certain conditions (CVE-2026-22732)
Authentication bypass vulnerability in Actuator CloudFoundry endpoints (CVE-2026-22733)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

CVE-2026-22731

Spring Boot version: 4.0.4
Spring Boot version: 3.5.12
Spring Boot version: 3.4.15

CVE-2026-22732

Spring Security version: 5.7.22
Spring Security version: 5.8.24
Spring Security version: 6.3.15
Spring Security version: 6.4.15
Spring Security version: 6.5.9
Spring Security version: 7.0.4

CVE-2026-22733

Spring Boot version: 4.0.4
Spring Boot version: 3.5.12
Spring Boot version: 3.4.15
Spring Boot version: 3.3.18
Spring Boot version: 2.7.32

references

[1] CVE-2026-22731: Authentication Bypass under Actuator Health groups paths
https://spring.io/security/cve-2026-22731
[2] CVE-2026-22732: Under Some Conditions Spring Security HTTP Headers Are not Written
https://spring.io/security/cve-2026-22732
[3] CVE-2026-22733: Authentication Bypass under Actuator CloudFoundry endpoints
https://spring.io/security/cve-2026-22733