CVE-2026-2742

EPSS 0.39%
Veröffentlicht 10.03.2026 12:08:48
Zuletzt bearbeitet 07.05.2026 18:40:35
Quelle security@vaadin.com
CVE-Watchlists
Login
Unerledigt
Login

Unauthorized session creation via reserved framework path access

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.

Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.

Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

NVD 4 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vaadin ≫ Vaadin Version >= 10.0.0 < 14.14.1

Vaadin ≫ Vaadin Version >= 15.0.0 < 23.6.7

Vaadin ≫ Vaadin Version >= 24.0.0 < 24.9.8

Vaadin ≫ Vaadin Version >= 25.0.0 < 25.0.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.307

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security@vaadin.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Amber

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://vaadin.com/security/cve-2026-2742

Vendor Advisory

https://github.com/vaadin/flow/pull/22998

Patch

Issue Tracking

https://github.com/vaadin/flow/pull/23037

Patch

Issue Tracking

https://github.com/vaadin/flow/pull/23057

Patch

Issue Tracking

https://github.com/vaadin/flow/pull/23033

Patch

Issue Tracking

https://github.com/vaadin/flow/pull/23034

Patch

Issue Tracking

https://github.com/vaadin/flow/pull/23052

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-2742

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-2742

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-2742

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-2742