CVE-2026-22731
Received
Received - Intake
Authentication Bypass in Spring Boot Actuator Health Group Endpoints
Publication date: 2026-03-19
Last updated on: 2026-04-16
Assigner: VMware
Description
Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_boot | From 3.4.0 (inc) to 3.4.15 (exc) |
| vmware | spring_boot | From 3.5.0 (inc) to 3.5.12 (exc) |
| vmware | spring_boot | From 4.0.0 (inc) to 4.0.4 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
