Ce mail provient de l'extérieur, restons vigilants
=====================================================================
CERT-Renater
Note d'Information No. 2026/VULN414
_____________________________________________________________________
DATE : 22/04/2026
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running Spring Security versions prior
to 7.0.5, 6.5.10, 6.4.16, 6.3.16, 5.8.25,
Spring Authorization Server versions prior to
1.3.11, 1.4.10, 1.5.7.
=====================================================================
https://spring.io/security/cve-2026-22752/
https://spring.io/security/cve-2026-22753/
https://spring.io/security/cve-2026-22754/
https://spring.io/security/cve-2026-22747/
https://spring.io/security/cve-2026-22748/
https://spring.io/security/cve-2026-22746/
https://spring.io/security/cve-2026-22751/
_____________________________________________________________________
CVE-2026-22752: Spring Security Authorization Server Dynamic Client
Registration endpoints perform insufficient validation of client
metadata
CRITICAL | APRIL 21, 2026 | CVE-2026-22752
Description
Spring Security Authorization Server Dynamic Client Registration
endpoints perform insufficient validation of certain client
metadata fields when explicitly enabled.
An attacker possessing a valid Initial Access Token can dynamically
register a malicious client with crafted metadata. Depending on the
metadata provided and the Authorization Server's configuration, this
can lead to Stored Cross-Site Scripting (XSS), Privilege Escalation,
or Server-Side Request Forgery (SSRF).
Affected Spring Products and Versions
Spring Security:
7.0.0 - 7.0.4
Spring Authorization Server:
1.3.0 - 1.3.10
1.4.0 - 1.4.9
1.5.0 - 1.5.6
Mitigation
Users of affected versions should upgrade to the corresponding fixed
version.
Affected version(s) Fix version Availability
7.0.x 7.0.5 OSS
1.3.x 1.3.11 Commercial
1.4.x 1.4.10 Commercial
1.5.x 1.5.7 OSS
Credit
The issue was identified and responsibly reported by KelvinMbogo
(@addcontent).
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&version=3.1
____________________________________________________________________
CVE-2026-22753: Servlet Path Not Correctly Included in Path Matching
of HttpSecurity#securityMatchers
HIGH | APRIL 20, 2026 | CVE-2026-22753
Description
If an application is using securityMatchers(String) and a
PathPatternRequestMatcher.Builder bean to prepend a servlet path,
matching requests to that filter chain may fail and its related
security components will not be exercised as intended by the
application. This can lead to the authentication, authorization,
and other security controls being rendered inactive on intended
requests.
If you are not using securityMatchers(String), you are not
affected. Also, if you are not configuring a servlet path or are
not using a PathPatternRequestMatcher.Builder bean to describe
the servlet path, you are not affected.
If you are using Spring Boot, it may not be readily apparent to
you if you are using a PathPatternRequestMatcher.Builder bean to
prepend a servlet path. One common way to determine this is by
looking for the Spring Boot property spring.mvc.servlet.path in
your application; it may have a value like /api or /mvc.
Affected Spring Products and Versions
Spring Security:
7.0.0 - 7.0.4
Spring Security 6.x and earlier are not affected; the described
interaction involves Spring Security 7's integration between
string-based matchers and a published
PathPatternRequestMatcher.Builder bean.
Mitigation
Users of affected versions should upgrade to the corresponding
fixed version.
Affected version(s) Fix version Availability
7.0.x 7.0.5 OSS
If you are not able to upgrade, you can place the servlet path
directly in the matcher pattern as follows:
http
.securityMatchers("/servlet-path/admin/**")
// ...
Credit
The issue was identified and responsibly reported by Apex, a
Cantinas AppSec agent.
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C/CR:L/IR:H/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:H/MA:N&version=3.1
History
2026-04-20: Initial vulnerability report published.
_____________________________________________________________________
CVE-2026-22754: Servlet Path Not Correctly Included in Path Matching
of XML Authorization Rules
HIGH | APRIL 20, 2026 | CVE-2026-22754
Description
If an application uses to define the servlet path for computing a
path matcher, then the servlet path is not included and the related
authorization rules are not exercised. This can lead to an
authorization bypass.
Affected Spring Products and Versions
Spring Security:
7.0.0 - 7.0.4
Spring Security 6.x and earlier are not affected; the described issue
applies to XML intercept-url servlet path handling in Spring
Security 7.
Mitigation
Users of affected versions should upgrade to the corresponding fixed
version.
Affected version(s) Fix version Availability
7.0.x 7.0.5 OSS
If you are not able to upgrade, you can place the servlet path
directly in the URL as follows:
Use an access expression (or other supported authorization attributes)
appropriate for your application.
Credit
The issue was identified and responsibly reported by Apex, a Cantinas
AppSec agent.
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C/CR:L/IR:H/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:H/MA:N&version=3.1
History
2026-04-20: Initial vulnerability report published.
_____________________________________________________________________
CVE-2026-22747: Unauthorized User Impersonation when Using X.509
Client Certificates
MEDIUM | APRIL 20, 2026 | CVE-2026-22747
Description
SubjectX500PrincipalExtractor does not correctly handle certain
malformed X.509 certificate CN values, which can lead to reading the
wrong value for the username. In a carefully crafted certificate,
this can lead to an attacker impersonating another user.
Environmental Considerations
This component sits behind Spring Security's pre-authentication flow,
which assumes the presented credentials have already been validated
by a trusted upstream. Exploiting this issue therefore presupposes a
compromise of that upstream trust. So while we recommend upgrading,
this fix is better understood as defense-in-depth than as closing a
standalone attack path.
Also note that this fix only addresses SubjectX500PrincipalExtractor
and not SubjectDnX509PrincipalExtractor, a deprecated component.
Affected Spring Products and Versions
Spring Security:
7.0.0 - 7.0.4
Mitigation
Users of affected versions should upgrade to the corresponding fixed
version.
Affected version(s) Fix version Availability
7.0.x 7.0.5 OSS
Credit
The issue was identified and responsibly reported by Nikita
Markevich.
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1
History
2026-04-20: Initial vulnerability report published.
_____________________________________________________________________
CVE-2026-22748: Potential Security Misconfiguration when Using
withIssuerLocation
MEDIUM | APRIL 20, 2026 | CVE-2026-22748
Description
When an application configures JWT decoding with NimbusJwtDecoder or
NimbusReactiveJwtDecoder, it must configure an
OAuth2TokenValidator separately, for example by calling
setJwtValidator.
This is easy to miss when using NimbusJwtDecoder#withIssuerLocation
or NimbusReactiveJwtDecoder#withIssuerLocation, which may be
interpreted as adding issuer validation automatically.
Recent maintenance versions of NimbusJwtDecoder#withIssuerLocation
and NimbusReactiveJwtDecoder#withIssuerLocation now add issuer
validation by default.
Affected Spring Products and Versions
Spring Security:
6.3.0 - 6.3.14
6.4.0 - 6.4.14
6.5.0 - 6.5.9
7.0.0 - 7.0.4
Older, unsupported versions are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding
fixed version.
Affected version(s) Fix version Availability
6.3.x 6.3.15 Enterprise Support Only
6.4.x 6.4.15 Enterprise Support Only
6.5.x 6.5.10 OSS
7.0.x 7.0.5 OSS
Note that if this upgrade causes you trouble due to unwanted
issuer validation, you can change it to the earlier default
in the following way:
@Bean
JwtDecoder jwtDecoder() {
String issuer = "https://issuer.example.org";
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer)
// ... other configurations
.build();
jwtDecoder.setOAuth2TokenValidator(JwtValidators.createDefaults()); // set to the non-issuer default validator
return jwtDecoder;
}
Credit
The issue was identified and responsibly reported by Daniel
Seiler.
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C/CR:L/IR:M/AR:L/MAV:N/MAC:H/MPR:H/MUI:N/MS:C/MC:N/MI:H/MA:N&version=3.1
History
2026-04-20: Initial vulnerability report published.
_____________________________________________________________________
CVE-2026-22746: User Attribute Enumeration when Using
DaoAuthenticationProvider
LOW | APRIL 20, 2026 | CVE-2026-22746
Description
If an application is using the UserDetails#isEnabled,
#isAccountNonExpired, or #isAccountNonLocked user attributes, to
enable, expire, or lock users, then DaoAuthenticationProvider's
timing attack defense can be bypassed for users who are disabled,
expired, or locked.
Affected Spring Products and Versions
Spring Security:
5.7.0 - 5.7.22
5.8.0 - 5.8.24
6.3.0 - 6.3.15
6.4.0 - 6.4.15
6.5.0 - 6.5.9
7.0.0 - 7.0.4
Older, unsupported versions are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding
fixed version.
Affected version(s) Fix version Availability
5.7.x 5.7.23 Enterprise Support Only
5.8.x 5.8.25 Enterprise Support Only
6.3.x 6.3.16 Enterprise Support Only
6.4.x 6.4.16 Enterprise Support Only
6.5.x 6.5.10 OSS
7.0.x 7.0.5 OSS
Note that this version also introduces a setter
DaoAuthenticationProvider#setAlwaysPerformAdditionalChecksOnUser.
In the event that this upgrade causes you trouble, you can set
this value to false.
Credit
The issue was identified and responsibly reported by meverden.
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1
History
2026-04-20: Initial vulnerability report published.
_____________________________________________________________________
CVE-2026-22751: Spring Security JdbcOneTimeTokenService allows a
one-time token to authenticate multiple sessions
MEDIUM | APRIL 21, 2026 | CVE-2026-22751
Description
Applications that explicitly configure One-Time Token login with
JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use
(TOCTOU) race condition. An attacker with a valid one-time token can
send concurrent requests to the authentication endpoint, allowing the
single-use token to be consumed multiple times and establishing
multiple authenticated sessions. The default
InMemoryOneTimeTokenService is thread-safe and not affected by this
vulnerability.
Affected Spring Products and Versions
Spring Security:
6.4.0 - 6.4.15
6.5.0 - 6.5.9
7.0.0 - 7.0.4
Mitigation
Users of affected versions should upgrade to the corresponding
fixed version.
Affected version(s) Fix version Availability
6.4.x 6.4.16 Commercial
6.5.x 6.5.10 OSS
7.0.x 7.0.5 OSS
Credit
The issue was identified and responsibly reported by Jinyeong
Seol (@Seol-JY).
References
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================