7.5
CVE-2026-22754
- EPSS 0.27%
- Veröffentlicht 22.04.2026 05:32:48
- Zuletzt bearbeitet 30.06.2026 03:17:27
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
ervlet Path Not Correctly Included in Path Matching of XML Authorization Rules
Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Security Version >= 7.0.0 < 7.0.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.27% | 0.182 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@vmware.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://spring.io/security/cve-2026-22754
https://access.redhat.com/security/cve/CVE-2026-22754
https://bugzilla.redhat.com/show_bug.cgi?id=2460489
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22754.json