CVE-2022-31690 is a high-severity privilege escalation vulnerability affecting Spring Security's OAuth2 client module in versions 5.7 prior to 5.7.5, 5.6 prior to 5.6.9, and older unsupported versions. The vulnerability arises when a malicious user or attacker manipulates the OAuth2 authorization flow by modifying a client-initiated request to the Authorization Server. Specifically, if the Authorization Server returns an OAuth2 Access Token Response with an empty scope list (as permitted by RFC 6749, Section 5.1), the client may incorrectly grant elevated privileges during the subsequent token approval process. This flaw can lead to unauthorized privilege escalation without requiring authentication or user interaction. The vulnerability exploits the way Spring Security processes OAuth2 token responses, allowing attackers to gain higher access rights than intended. The CVSS v3.1 score is 8.1 (high), reflecting the network attack vector, high impact on confidentiality, integrity, and availability, and no required privileges or user interaction. No known exploits in the wild have been reported to date, but the vulnerability poses a significant risk to applications relying on vulnerable Spring Security versions for OAuth2 client authentication and authorization.

For European organizations, this vulnerability poses a critical risk especially for enterprises and public sector entities that use Spring Security for OAuth2-based authentication and authorization in their web applications and APIs. Exploitation could allow attackers to escalate privileges, potentially accessing sensitive data, modifying application behavior, or disrupting services. This can lead to data breaches, compliance violations (e.g., GDPR), and operational disruptions. Given the widespread adoption of Spring Security in Europe’s software ecosystem, including financial institutions, healthcare providers, and government agencies, the impact could be extensive. Attackers exploiting this vulnerability could bypass intended access controls, leading to unauthorized data access or manipulation. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the threat level. Additionally, compromised applications could be used as pivot points for further attacks within organizational networks.

European organizations should immediately assess their use of Spring Security versions and prioritize upgrading to versions 5.7.5 or 5.6.9 and later, where this vulnerability is patched. If immediate upgrading is not feasible, organizations should implement strict validation of OAuth2 token responses, ensuring that empty scope lists are handled securely and do not result in privilege escalation. Application-level mitigations include enforcing least privilege principles, adding additional authorization checks post-token acquisition, and monitoring OAuth2 token exchange logs for anomalies such as empty scopes or unexpected token responses. Network-level controls such as restricting access to the Authorization Server and token endpoints to trusted clients and IP ranges can reduce exposure. Security teams should also conduct thorough penetration testing focused on OAuth2 flows to detect potential exploitation attempts. Finally, organizations should stay alert for any emerging exploit reports and apply security advisories promptly.