Spring Product Security Update Advisory

Overview.

---

Two vulnerabilities have been announced in the Spring product related to Spring Security.
the vulnerability identifiers are CVE-2026-22753 and CVE-2026-22754.
affected versions are Spring Security 7.0.0 and above and 7.0.4 and below.
patches are available in version 7.0.5.

Vulnerability details.

---

CVE-2026-22753 is an issue with path matching in HttpSecurity#securityMatchers not correctly including servlet paths, which could allow intended path-based security rules to be bypassed.
CVE-2026-22754 is an issue where the Servlet Path is also missing from the path matching in XML-based authorization rules, which could allow authorization to be bypassed.
both vulnerabilities pose the risk of authorization validation or access control policies being defeated due to path matching inconsistencies.

Impact and Risk.

---

impacts include invalidation of path-based security policies, unauthorized access to unwanted resources, and bypassing authorization validation.
threat actors could potentially use incorrect path matching to gain unauthorized functionality or data.

Response and Advisory.

---

the vulnerability has been fixed in version 7.0.5.
affected products are advised to update to the latest version of the patch (7.0.5).
it is recommended that system-specific impact be assessed and tested before updating.

References.

---

CVE-2026-22753: https://spring.io/security/cve-2026-22753.
CVE-2026-22754: https://spring.io/security/cve-2026-22754.