8.2
CVE-2026-22731
- EPSS 0.03%
- Veröffentlicht 19.03.2026 22:36:15
- Zuletzt bearbeitet 16.04.2026 04:30:21
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
LoginAuthentication Bypass under Actuator Health groups paths
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Boot Version >= 3.4.0 < 3.4.15
VMware ≫ Spring Boot Version >= 3.5.0 < 3.5.12
VMware ≫ Spring Boot Version >= 4.0.0 < 4.0.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.076 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@vmware.com | 8.2 | 3.9 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
|
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.