CVE-2026-22753: Vulnerability in Spring Spring Security
CVE-2026-22753 is a vulnerability in Spring Security versions 7. 0. 0 through 7. 0. 4 where using securityMatchers(String) combined with a PathPatternRequestMatcher. Builder bean to prepend a servlet path can cause requests to bypass the intended security filter chain. This results in authentication, authorization, and other security controls not being applied to those requests as designed, potentially allowing unauthorized actions. The vulnerability has a CVSS score of 7. 5, indicating high severity. No official patch or remediation guidance is currently provided by the vendor.
AI Analysis
Technical Summary
This vulnerability affects Spring Security versions 7.0.0 through 7.0.4. When an application uses securityMatchers(String) along with a PathPatternRequestMatcher.Builder bean to prepend a servlet path, the matching of requests to the security filter chain may fail. Consequently, the security components such as authentication and authorization may not be exercised on those requests, effectively disabling intended security controls. The issue is tracked as CVE-2026-22753 and is categorized under CWE-693 (Protection Mechanism Failure). The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low complexity and no privileges or user interaction required, impacting integrity but not confidentiality or availability.
Potential Impact
The impact of this vulnerability is that security controls including authentication and authorization may be bypassed for certain requests due to incorrect request matching in the filter chain. This can allow unauthorized users to perform actions that should be restricted, compromising the integrity of the application. There is no indication that confidentiality or availability are affected. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should review their use of securityMatchers(String) and PathPatternRequestMatcher.Builder beans to ensure that servlet path prepending does not cause security filters to be bypassed. Consider alternative configurations or additional manual checks to enforce security controls on all relevant requests.
CVE-2026-22753: Vulnerability in Spring Spring Security
Description
CVE-2026-22753 is a vulnerability in Spring Security versions 7. 0. 0 through 7. 0. 4 where using securityMatchers(String) combined with a PathPatternRequestMatcher. Builder bean to prepend a servlet path can cause requests to bypass the intended security filter chain. This results in authentication, authorization, and other security controls not being applied to those requests as designed, potentially allowing unauthorized actions. The vulnerability has a CVSS score of 7. 5, indicating high severity. No official patch or remediation guidance is currently provided by the vendor.
CVSS v3.1
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Spring Security versions 7.0.0 through 7.0.4. When an application uses securityMatchers(String) along with a PathPatternRequestMatcher.Builder bean to prepend a servlet path, the matching of requests to the security filter chain may fail. Consequently, the security components such as authentication and authorization may not be exercised on those requests, effectively disabling intended security controls. The issue is tracked as CVE-2026-22753 and is categorized under CWE-693 (Protection Mechanism Failure). The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low complexity and no privileges or user interaction required, impacting integrity but not confidentiality or availability.
Potential Impact
The impact of this vulnerability is that security controls including authentication and authorization may be bypassed for certain requests due to incorrect request matching in the filter chain. This can allow unauthorized users to perform actions that should be restricted, compromising the integrity of the application. There is no indication that confidentiality or availability are affected. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should review their use of securityMatchers(String) and PathPatternRequestMatcher.Builder beans to ensure that servlet path prepending does not cause security filters to be bypassed. Consider alternative configurations or additional manual checks to enforce security controls on all relevant requests.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-01-09T06:55:03.991Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8609e19fe3cd2cd71451d
Added to database: 4/22/2026, 5:46:06 AM
Last enriched: 4/29/2026, 11:16:11 AM
Last updated: 6/8/2026, 5:34:20 AM
Views: 121
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.