Executive Summary

CVE-2026-22753 is a high-severity vulnerability in Spring Security versions 7.0.0 through 7.0.4. It occurs when an application uses the method securityMatchers(String) together with a PathPatternRequestMatcher.Builder bean to prepend a servlet path. In this situation, requests that should match the filter chain may fail to do so, causing the related security components such as authentication and authorization controls to be bypassed or rendered inactive for those requests.

This means that intended security checks might not be applied to certain requests, potentially allowing unauthorized access or actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to authentication, authorization, and other security controls being bypassed or not exercised as intended on certain requests. As a result, unauthorized users might gain access to protected resources or perform actions they should not be allowed to.

Because the vulnerability affects the integrity of the application by allowing unauthorized modifications or access, it poses a significant security risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when an application uses the method securityMatchers(String) combined with a PathPatternRequestMatcher.Builder bean to prepend a servlet path, causing requests to the filter chain to fail matching and bypass security controls.

To detect if your system is affected, check if your Spring Security version is between 7.0.0 and 7.0.4 and if your application uses securityMatchers(String) along with a PathPatternRequestMatcher.Builder bean or the spring.mvc.servlet.path property (e.g., /api or /mvc).

There are no specific network or system commands provided to detect this vulnerability directly. However, you can inspect your application's configuration files and code for usage of securityMatchers(String) and PathPatternRequestMatcher.Builder, and verify the Spring Security version.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Spring Security to version 7.0.5 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, a recommended workaround is to explicitly include the servlet path in the matcher pattern, for example: http.securityMatchers("/servlet-path/admin/**").

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can cause authentication, authorization, and other security controls to be bypassed or rendered inactive for certain requests in affected Spring Security versions. Such a failure in enforcing security controls may lead to unauthorized access or modification of data.

Since regulations like GDPR and HIPAA require strict access controls and protection of sensitive data, this vulnerability could potentially lead to non-compliance if exploited, as it undermines the integrity of security mechanisms designed to protect personal or sensitive information.

Mitigating this vulnerability by upgrading to Spring Security 7.0.5 or later, or applying recommended workarounds, is essential to maintain compliance with these standards.

Useful 0 Not Useful 0