Spring Security Vulnerabilities - Critical Updates Released

The Flaw

On March 19, 2026, Spring published a critical security advisory addressing vulnerabilities in Spring Boot and Spring Security. These vulnerabilities include issues that could allow unauthorized access to sensitive information. Specifically, the advisory highlights three critical CVEs: CVE-2026-22731, CVE-2026-22718, and CVE-2026-22733. Each of these vulnerabilities poses serious risks to applications using these frameworks.

CVE-2026-22731 allows for authentication bypass under Actuator Health group paths. This means that attackers could potentially access sensitive health information without proper authorization. CVE-2026-22718 indicates that under certain conditions, HTTP headers in Spring Security may not be written correctly, leading to security misconfigurations. Lastly, CVE-2026-22733 also facilitates authentication bypass, specifically under Actuator CloudFoundry endpoints.

What's at Risk

These vulnerabilities affect multiple versions of Spring Boot and Spring Security, making a wide range of applications potentially vulnerable. If left unaddressed, attackers could exploit these flaws to gain unauthorized access to applications, leading to data breaches or service disruptions. The Cyber Centre has emphasized the importance of applying the updates promptly to mitigate these risks.

The impact of these vulnerabilities is significant, especially for organizations relying on Spring frameworks for their applications. If attackers exploit these flaws, they could gain access to sensitive data or even take control of affected systems. Therefore, it is crucial for users and administrators to understand the implications of these vulnerabilities.

Patch Status

Spring has released updates to address these vulnerabilities, and users are strongly encouraged to apply these patches immediately. The advisories provide detailed instructions on how to update affected systems. It is vital to check the specific versions of Spring Boot and Spring Security in use and ensure they are updated to the latest secure versions.

Organizations should prioritize these updates in their security protocols. Regularly checking for security advisories and applying patches is essential to maintaining a secure environment. The sooner these vulnerabilities are patched, the lower the risk of exploitation.

Immediate Actions

To protect your applications, follow these steps:

1. Review the security advisories provided by Spring.
2. Identify the versions of Spring Boot and Spring Security you are using.
3. Apply the necessary updates as outlined in the advisories.
4. Monitor your systems for any unusual activity following the updates.

By taking these actions, you can significantly reduce the risk posed by these vulnerabilities. Security is an ongoing process, and staying informed about potential threats is key to safeguarding your applications.