Can you explain this vulnerability to me?

CVE-2026-22754 is a high-severity vulnerability in Spring Security versions 7.0.0 through 7.0.4 related to incorrect handling of servlet paths in XML authorization rules.

When an application uses the XML configuration `<sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/>` to define the servlet path for path matching, the servlet path is not properly included in the path matcher computation.

As a result, the authorization rules associated with that servlet path are bypassed, potentially allowing unauthorized access.

This vulnerability arises from the way XML `<sec:intercept-url>` elements handle the `servlet-path` attribute in path matching.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability in Spring Security can lead to an authorization bypass, potentially allowing unauthorized access to protected resources.

Such unauthorized access could result in violations of compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate strict access controls to protect sensitive personal and health information.

Therefore, if exploited, this vulnerability may compromise the integrity of access controls, leading to non-compliance with these regulations.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to an authorization bypass, allowing attackers to gain unauthorized access to protected endpoints.

Because the servlet path is not included in the path matcher, the related authorization rules are not exercised, which means security controls intended to restrict access may be ignored.

The CVSS v3.1 score indicates a high integrity impact, meaning attackers can potentially perform unauthorized actions or modify data without proper permissions.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability arises from the incorrect handling of servlet paths in Spring Security XML authorization rules, specifically when using the <sec:intercept-url> element with the servlet-path attribute. Detection involves reviewing the Spring Security XML configuration files for usage of <sec:intercept-url> elements that define the servlet-path attribute separately from the URL pattern.

There are no specific network or system commands provided to detect this vulnerability automatically. Instead, detection is primarily done through code or configuration review to identify if the vulnerable pattern is used.

A suggested approach is to search your codebase or configuration files for occurrences of <sec:intercept-url> elements with the servlet-path attribute, for example by using commands like:

• grep -r '<sec:intercept-url' /path/to/your/project
• grep -r 'servlet-path=' /path/to/your/project

This will help identify if the vulnerable configuration pattern is present. Further manual review is needed to confirm if the servlet-path is used separately from the pattern attribute, which leads to the vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation for this vulnerability is to upgrade Spring Security to version 7.0.5 or later, where the issue has been fixed.

If upgrading is not immediately possible, a recommended workaround is to modify the XML authorization rules to include the servlet path directly in the URL pattern instead of using the servlet-path attribute. For example, change from:

• <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/>

to:

• <sec:intercept-url pattern="/servlet-path/endpoint/**" access="authenticated"/>

This ensures that the authorization rules are properly applied and prevents the authorization bypass.

Useful 0 Not Useful 0