8.2

CVE-2026-22733

EPSS 0.03%
Veröffentlicht 19.03.2026 23:29:10
Zuletzt bearbeitet 23.04.2026 14:24:37
Quelle security@vmware.com
CVE-Watchlists
Login
Unerledigt
Login

Authentication Bypass under Actuator CloudFoundry endpoints

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 5 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ Spring Boot Version < 2.7.32

VMware ≫ Spring Boot Version >= 3.3.0 < 3.3.18

VMware ≫ Spring Boot Version >= 3.4.0 < 3.4.15

VMware ≫ Spring Boot Version >= 3.5.0 < 3.5.12

VMware ≫ Spring Boot Version >= 4.0.0 < 4.0.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.076

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security@vmware.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://spring.io/security/cve-2026-22733

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-22733

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22733

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22733

EUVD