CVE-2026-2742
Analyzed Analyzed - Analysis Complete
Authentication Bypass in Vaadin Spring Security via Path Matching

Publication date: 2026-03-10

Last updated on: 2026-05-07

Assigner: Vaadin Ltd.

Description
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2742
EUVD
EUVD-2026-10498
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vaadin vaadin From 10.0.0 (inc) to 14.14.1 (exc)
vaadin vaadin From 15.0.0 (inc) to 23.6.7 (exc)
vaadin vaadin From 24.0.0 (inc) to 24.9.8 (exc)
vaadin vaadin From 25.0.0 (inc) to 25.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass issue in Vaadin versions 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7, and 25.0.0 through 25.0.1 when used with Spring Security.

The problem arises due to inconsistent path pattern matching of reserved framework paths. Specifically, accessing the /VAADIN endpoint without a trailing slash allows bypassing security filters.

This means unauthenticated users can trigger framework initialization and create sessions without proper authorization.

Impact Analysis

The vulnerability allows unauthenticated users to bypass security controls and create sessions without authorization.

This can lead to unauthorized access to application resources or functionality that should be protected by authentication.

Such unauthorized access could potentially be exploited to compromise the security of the application or its data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users of affected Vaadin versions using Spring Security should upgrade their Vaadin framework to a fixed version.

  • For versions 14.0.0 through 14.14.0, upgrade to 14.14.1.
  • For versions 23.0.0 through 23.6.6, upgrade to 23.6.7.
  • For versions 24.0.0 through 24.9.7, upgrade to 24.9.8.
  • For versions 25.0.0 through 25.0.1, upgrade to 25.0.2 or newer.

Note that Vaadin versions 10-13 and 15-22 are no longer supported, so updating to the latest supported versions 14, 23, 24, or 25 is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2742. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart