CVE-2026-22731 is an authentication bypass vulnerability categorized under CWE-288 that affects Spring Boot applications using the Actuator module. The vulnerability occurs when an application endpoint requiring authentication is declared under a path that is already configured as an additional path for a Health Group within Spring Boot's Actuator. This misconfiguration allows attackers to bypass authentication mechanisms and access sensitive endpoints without credentials. The affected versions include Spring Boot 4.0 prior to 4.0.3, 3.5 prior to 3.5.11, and 3.4 prior to 3.4.15. The vulnerability is distinct but related to CVE-2026-22733, differing in conditions and affected versions. The CVSS v3.1 base score is 8.2, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, indicating network exploitable, low attack complexity, no privileges or user interaction required, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. Exploiting this flaw can expose sensitive application data accessible via Actuator endpoints, potentially leaking internal system information or operational metrics. No public exploits have been reported yet, but the vulnerability poses a significant risk to applications exposing Actuator endpoints without proper authentication. The root cause lies in the way Spring Boot handles Health Group additional paths, which can inadvertently override or bypass authentication requirements for endpoints declared under those paths. This vulnerability underscores the importance of carefully configuring Actuator endpoints and health groups to avoid unintended access control weaknesses.

The primary impact of CVE-2026-22731 is unauthorized access to sensitive Actuator endpoints in Spring Boot applications, leading to a high confidentiality breach. Attackers can bypass authentication controls and retrieve potentially sensitive operational data, configuration details, or health metrics that could facilitate further attacks or reconnaissance. Although the integrity and availability impacts are low, the exposure of internal application details can aid attackers in crafting more targeted exploits or cause reputational damage. Organizations relying on Spring Boot for critical applications, especially those exposing Actuator endpoints in production environments, face increased risk of data leakage and compliance violations. The ease of exploitation—requiring no authentication or user interaction—and network accessibility make this vulnerability particularly dangerous in internet-facing applications. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation. Failure to address this vulnerability could lead to unauthorized disclosure of sensitive information, undermining trust and potentially violating data protection regulations.

To mitigate CVE-2026-22731, organizations should immediately upgrade Spring Boot to versions 4.0.3 or later, 3.5.11 or later, or 3.4.15 or later where the vulnerability is patched. If upgrading is not immediately feasible, administrators must audit and restrict access to Actuator endpoints, ensuring that authentication is enforced consistently across all paths, including those configured as Health Group additional paths. Implement network-level access controls such as IP whitelisting or VPN-only access to sensitive management endpoints. Review and avoid declaring application endpoints under paths already used by Health Groups to prevent bypass scenarios. Employ security best practices such as using strong authentication mechanisms (e.g., OAuth2, Basic Auth with strong credentials) and enabling HTTPS to protect data in transit. Regularly monitor application logs for suspicious access patterns to Actuator endpoints. Additionally, conduct thorough security testing and code reviews focusing on endpoint configuration and access control logic. Finally, maintain awareness of related vulnerabilities like CVE-2026-22733 to ensure comprehensive protection.