CVE-2026-22733
Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints
8.2
HIGH
CVSS 3.1
EPSS 0.04%
Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
How to fix CVE-2026-22733
To remediate CVE-2026-22733, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.4 or later
Is CVE-2026-22733 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0-M1, < 4.0.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |