CVE-2026-22748
JWT Validation Bypass in Spring Security NimbusJwtDecoder
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_security | From 6.4.0 (inc) to 6.4.15 (exc) |
| vmware | spring_security | From 6.5.0 (inc) to 6.5.10 (exc) |
| vmware | spring_security | From 7.0.0 (inc) to 7.0.5 (exc) |
| vmware | spring_security | to 6.3.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22748 is a security misconfiguration vulnerability in Spring Security related to JWT decoding using NimbusJwtDecoder or NimbusReactiveJwtDecoder.
When configuring JWT decoding with these decoders, developers must explicitly configure an OAuth2TokenValidator<Jwt> (for example, by calling setJwtValidator) to enforce issuer validation.
Prior to recent maintenance versions, this explicit configuration was easy to overlook, leading to a lack of issuer validation and potential security risks.
Recent fixed versions have changed the behavior to add issuer validation by default, mitigating this issue.
How can this vulnerability impact me? :
This vulnerability can impact the integrity of your application by allowing JWT tokens to be accepted without proper issuer validation.
An attacker could exploit this to bypass security controls, potentially impersonating users or gaining unauthorized access.
The CVSS score indicates a medium severity with high integrity impact, requiring low privileges and no user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from a misconfiguration in Spring Security JWT decoding when using NimbusJwtDecoder or NimbusReactiveJwtDecoder without explicitly setting an OAuth2TokenValidator<Jwt>. Detection involves reviewing the application configuration to check if the JWT decoder is configured with the method withIssuerLocation but lacks an explicit call to setJwtValidator to enforce issuer validation.
There are no specific network or system commands provided to detect this vulnerability automatically. Instead, detection requires inspecting the source code or configuration files of the affected Spring Security application versions (6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4) to verify if the OAuth2TokenValidator is properly set.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Spring Security to a fixed version where the issue is resolved:
- Upgrade 6.3.x versions to 6.3.15 (Enterprise Support only)
- Upgrade 6.4.x versions to 6.4.15 (Enterprise Support only)
- Upgrade 6.5.x versions to 6.5.10 (Open Source Software)
- Upgrade 7.0.x versions to 7.0.5 (Open Source Software)
If upgrading is not immediately possible or if the automatic issuer validation introduced in the fixed versions causes issues, you can explicitly set the OAuth2TokenValidator to JwtValidators.createDefaults() after building the NimbusJwtDecoder to revert to the previous default behavior. For example:
```java @Bean JwtDecoder jwtDecoder() { String issuer = "https://issuer.example.org"; NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer) // ...other configurations .build(); jwtDecoder.setOAuth2TokenValidator(JwtValidators.createDefaults()); // revert to non-issuer default validator return jwtDecoder; } ```
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Spring Security involves a potential misconfiguration in JWT decoding that can lead to a failure in enforcing issuer validation. Since JWT tokens are often used for authentication and authorization, improper validation could allow unauthorized access or manipulation of user identity information.
Such weaknesses in token validation can impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data to ensure data integrity and prevent unauthorized access.
Specifically, the high integrity impact indicated by the CVSS score suggests that the vulnerability could allow attackers to bypass certain security controls, potentially leading to unauthorized actions or data modifications, which would be a compliance risk under these regulations.
Mitigation by upgrading to fixed versions or explicitly configuring token validators helps maintain compliance by ensuring proper token validation and reducing the risk of unauthorized access.