CVE-2026-22753
Authentication Bypass in Spring Security PathPatternRequestMatcher
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_security | From 7.0.0 (inc) to 7.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22753 is a high-severity vulnerability in Spring Security versions 7.0.0 through 7.0.4. It occurs when an application uses the method securityMatchers(String) together with a PathPatternRequestMatcher.Builder bean to prepend a servlet path. In this situation, requests that should match the filter chain may fail to do so, causing the related security components such as authentication and authorization controls to be bypassed or rendered inactive for those requests.
This means that intended security checks might not be applied to certain requests, potentially allowing unauthorized access or actions.
How can this vulnerability impact me? :
This vulnerability can lead to authentication, authorization, and other security controls being bypassed or not exercised as intended on certain requests. As a result, unauthorized users might gain access to protected resources or perform actions they should not be allowed to.
Because the vulnerability affects the integrity of the application by allowing unauthorized modifications or access, it poses a significant security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when an application uses the method securityMatchers(String) combined with a PathPatternRequestMatcher.Builder bean to prepend a servlet path, causing requests to the filter chain to fail matching and bypass security controls.
To detect if your system is affected, check if your Spring Security version is between 7.0.0 and 7.0.4 and if your application uses securityMatchers(String) along with a PathPatternRequestMatcher.Builder bean or the spring.mvc.servlet.path property (e.g., /api or /mvc).
There are no specific network or system commands provided to detect this vulnerability directly. However, you can inspect your application's configuration files and code for usage of securityMatchers(String) and PathPatternRequestMatcher.Builder, and verify the Spring Security version.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Spring Security to version 7.0.5 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, a recommended workaround is to explicitly include the servlet path in the matcher pattern, for example: http.securityMatchers("/servlet-path/admin/**").
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can cause authentication, authorization, and other security controls to be bypassed or rendered inactive for certain requests in affected Spring Security versions. Such a failure in enforcing security controls may lead to unauthorized access or modification of data.
Since regulations like GDPR and HIPAA require strict access controls and protection of sensitive data, this vulnerability could potentially lead to non-compliance if exploited, as it undermines the integrity of security mechanisms designed to protect personal or sensitive information.
Mitigating this vulnerability by upgrading to Spring Security 7.0.5 or later, or applying recommended workarounds, is essential to maintain compliance with these standards.