CVE-2026-2742

EPSS 0.69%
Veröffentlicht 10.03.2026 12:08:48
Zuletzt bearbeitet 11.03.2026 13:53:20
Quelle security@vaadin.com
CVE-Watchlists
Login
Unerledigt
Login

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.

Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.

Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervaadin

≫

Produkt vaadin

Default Statusunaffected

Version <= 14.14.0

Version 10.0.0

Status affected

Version <= 23.6.6

Version 15.0.0

Status affected

Version <= 24.9.7

Version 24.0.0

Status affected

Version <= 25.0.1

Version 25.0.0

Status affected

Herstellervaadin

≫

Produkt flow

Default Statusunaffected

Version <= 2.13.0

Version 1.0.0

Status affected

Version <= 23.6.7

Version 3.0.0

Status affected

Version <= 24.9.7

Version 24.0.0

Status affected

Version < 25.0.1

Version 25.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.69%	0.718

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@vaadin.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Amber

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://vaadin.com/security/cve-2026-2742

https://github.com/vaadin/flow/pull/22998

https://github.com/vaadin/flow/pull/23037

https://github.com/vaadin/flow/pull/23057

https://github.com/vaadin/flow/pull/23033

https://github.com/vaadin/flow/pull/23034

https://github.com/vaadin/flow/pull/23052

https://nvd.nist.gov/vuln/detail/CVE-2026-2742

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-2742

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-2742

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-2742