CVE-2026-2742
Received Received - Intake
Authentication Bypass in Vaadin Spring Security via Path Matching

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: Vaadin Ltd.

Description
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2742
EUVD
EUVD-2026-10498
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
vaadin vaadin From 14.0.0 (inc) to 14.14.0 (inc)
vaadin vaadin From 23.0.0 (inc) to 23.6.6 (inc)
vaadin vaadin From 24.0.0 (inc) to 24.9.7 (inc)
vaadin vaadin From 25.0.0 (inc) to 25.0.1 (inc)
vaadin flow From 14.0.0 (inc) to 14.14.0 (inc)
vaadin flow From 23.0.0 (inc) to 23.6.6 (inc)
vaadin flow From 24.0.0 (inc) to 24.9.7 (inc)
vaadin flow From 25.0.0 (inc) to 25.0.1 (inc)
vaadin flow From 2.0.0 (inc) to 2.13.0 (inc)
vaadin flow From 23.0.0 (inc) to 23.6.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, users of affected Vaadin versions using Spring Security should upgrade their Vaadin framework to a fixed version.

  • For versions 14.0.0 through 14.14.0, upgrade to 14.14.1.
  • For versions 23.0.0 through 23.6.6, upgrade to 23.6.7.
  • For versions 24.0.0 through 24.9.7, upgrade to 24.9.8.
  • For versions 25.0.0 through 25.0.1, upgrade to 25.0.2 or newer.

Note that Vaadin versions 10-13 and 15-22 are no longer supported, so updating to the latest supported versions 14, 23, 24, or 25 is recommended.


Can you explain this vulnerability to me?

This vulnerability is an authentication bypass issue in Vaadin versions 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7, and 25.0.0 through 25.0.1 when used with Spring Security.

The problem arises due to inconsistent path pattern matching of reserved framework paths. Specifically, accessing the /VAADIN endpoint without a trailing slash allows bypassing security filters.

This means unauthenticated users can trigger framework initialization and create sessions without proper authorization.


How can this vulnerability impact me? :

The vulnerability allows unauthenticated users to bypass security controls and create sessions without authorization.

This can lead to unauthorized access to application resources or functionality that should be protected by authentication.

Such unauthorized access could potentially be exploited to compromise the security of the application or its data.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart