Executive Summary

CVE-2026-22748 is a security misconfiguration vulnerability in Spring Security related to JWT decoding using NimbusJwtDecoder or NimbusReactiveJwtDecoder.

When configuring JWT decoding with these decoders, developers must explicitly configure an OAuth2TokenValidator<Jwt> (for example, by calling setJwtValidator) to enforce issuer validation.

Prior to recent maintenance versions, this explicit configuration was easy to overlook, leading to a lack of issuer validation and potential security risks.

Recent fixed versions have changed the behavior to add issuer validation by default, mitigating this issue.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability in Spring Security involves a potential misconfiguration in JWT decoding that can lead to a failure in enforcing issuer validation. Since JWT tokens are often used for authentication and authorization, improper validation could allow unauthorized access or manipulation of user identity information.

Such weaknesses in token validation can impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data to ensure data integrity and prevent unauthorized access.

Specifically, the high integrity impact indicated by the CVSS score suggests that the vulnerability could allow attackers to bypass certain security controls, potentially leading to unauthorized actions or data modifications, which would be a compliance risk under these regulations.

Mitigation by upgrading to fixed versions or explicitly configuring token validators helps maintain compliance by ensuring proper token validation and reducing the risk of unauthorized access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact the integrity of your application by allowing JWT tokens to be accepted without proper issuer validation.

An attacker could exploit this to bypass security controls, potentially impersonating users or gaining unauthorized access.

The CVSS score indicates a medium severity with high integrity impact, requiring low privileges and no user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from a misconfiguration in Spring Security JWT decoding when using NimbusJwtDecoder or NimbusReactiveJwtDecoder without explicitly setting an OAuth2TokenValidator<Jwt>. Detection involves reviewing the application configuration to check if the JWT decoder is configured with the method withIssuerLocation but lacks an explicit call to setJwtValidator to enforce issuer validation.

There are no specific network or system commands provided to detect this vulnerability automatically. Instead, detection requires inspecting the source code or configuration files of the affected Spring Security application versions (6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4) to verify if the OAuth2TokenValidator is properly set.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Spring Security to a fixed version where the issue is resolved:

• Upgrade 6.3.x versions to 6.3.15 (Enterprise Support only)
• Upgrade 6.4.x versions to 6.4.15 (Enterprise Support only)
• Upgrade 6.5.x versions to 6.5.10 (Open Source Software)
• Upgrade 7.0.x versions to 7.0.5 (Open Source Software)

If upgrading is not immediately possible or if the automatic issuer validation introduced in the fixed versions causes issues, you can explicitly set the OAuth2TokenValidator to JwtValidators.createDefaults() after building the NimbusJwtDecoder to revert to the previous default behavior. For example:

```java @Bean JwtDecoder jwtDecoder() { String issuer = "https://issuer.example.org"; NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer) // ...other configurations .build(); jwtDecoder.setOAuth2TokenValidator(JwtValidators.createDefaults()); // revert to non-issuer default validator return jwtDecoder; } ```

Useful 0 Not Useful 0