CVE-2026-22753 - Vulnerability Details - OpenCVE

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://spring.io/security/cve-2026-22753

History

Wed, 22 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-279 CWE-290

Wed, 22 Apr 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Title		Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers
References		https://spring.io/security/cve-2026-22753
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-04-22T05:20:31.083Z

Updated: 2026-04-22T05:20:31.083Z

Reserved: 2026-01-09T06:55:03.991Z

Link: CVE-2026-22753

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T06:16:04.160

Modified: 2026-04-22T06:16:04.160

Link: CVE-2026-22753

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22753", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.991Z", "datePublished": "2026-04-22T05:20:31.083Z", "dateUpdated": "2026-04-22T05:20:31.083Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:20:31.083Z"}, "title": "Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using\u00a0securityMatchers(String)\u00a0and a\u00a0PathPatternRequestMatcher.Builder\u00a0bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. If an application is using <code>securityMatchers(String)</code> and a <code>PathPatternRequestMatcher.Builder</code> bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.<p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22753"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"analysis": {"en": {"generated_at": "2026-04-22T07:04:35.858323+00:00", "value": {"mitigation_remediation": ["Apply the official Spring Security update (7.0.5+) or a later version that contains the fix for CVE-2026-22753.", "If upgrading immediately is not possible, review the configuration of securityMatchers and any PathPatternRequestMatcher.Builder beans; remove or adjust the servlet path prepending so that request paths are correctly matched to the appropriate security filter chain.", "Verify that authentication and authorization handlers remain active for all critical endpoints by running functional tests or a security assessment, and monitor logs for any unexpected unauthenticated requests after the change."], "summary": {"action": "Immediate Patch", "impact": "Authentication & Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Spring Security versions 7.0.0 through 7.0.4 are affected. The flaw lies in the Spring:Spring Security library. Applications that configure securityMatchers and prepend servlet paths via a PathPatternRequestMatcher.Builder are at risk. No other vendors or products are listed.", "description_and_impact": "The vulnerability stems from a flaw in Spring Security\u2019s request matching logic. When an application uses the securityMatchers(String) method together with a PathPatternRequestMatcher.Builder that prepends a servlet path, the resulting request paths can fail to match the intended security filter chain. Consequently, the authentication, authorization, and other security checks that belong to that chain are not executed. An attacker can exploit this mis\u2011matching to send requests that bypass authentication or authorization checks, gaining unauthorized access to protected resources. The weakness is one of improper authentication and authorization due to a logic error in request path resolution.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high impact severity. EPSS data is not available, so the current likelihood of exploitation cannot be quantified, and the issue is not listed in CISA\u2019s KEV catalog. The attack is likely remote, where an attacker can target the application over the network with crafted requests that exploit the mis\u2011matched paths. The flaw does not require elevated privileges or code execution; it simply allows bypass of authentication and authorization controls. While no public exploit has been reported, the combination of broad version impact and high severity suggests that patching should occur promptly."}}}}, "created": "2026-04-22T07:15:11.666108+00:00", "updated": "2026-04-22T07:15:11.666119+00:00", "vendors": [], "weaknesses": ["CWE-279", "CWE-290"]}