7.5

CVE-2026-22753

Medienbericht

EPSS 0.07%
Veröffentlicht 22.04.2026 05:20:31
Zuletzt bearbeitet 24.04.2026 14:17:02
Quelle security@vmware.com
CVE-Watchlists
Login
Unerledigt
Login

Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

VMware ≫ Spring Security Version >= 7.0.0 < 7.0.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.209

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@vmware.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

https://www.heise.de/news/VMware-Tanzu-Spring-Security-Angreifer-koennen-boesartigen-Clients-anmelden-11268714.html

Media Report

https://spring.io/security/cve-2026-22753

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-22753

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22753

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22753

EUVD