CVE-2026-47838
Received Received - Intake
Username Impersonation in Spring Security via X.509 CN Handling

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-47838
EUVD
EUVD-2026-35911
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring security 5.7.0
spring security 5.8.0
spring security 6.3.0
spring security 6.4.0
spring security 6.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47838 is a vulnerability in Spring Security related to how the SubjectDnX509PrincipalExtractor handles certain malformed X.509 certificate Common Name (CN) values.

Because of this incorrect handling, the extractor can read the wrong username from a certificate. An attacker who crafts a specially malformed certificate can exploit this to impersonate another user.

This vulnerability affects multiple versions of Spring Security, including 5.7.x, 5.8.x, 6.3.x, 6.4.x, and 6.5.x, and is related to the pre-authentication flow where X.509 client certificates are used.

Compliance Impact

The vulnerability allows an attacker to impersonate another user by exploiting malformed X.509 certificate Common Name (CN) values, potentially leading to unauthorized access to user accounts.

Such unauthorized user impersonation can undermine the integrity and confidentiality of user data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, while this vulnerability could negatively impact compliance by enabling unauthorized access and potential data breaches, it primarily serves as a defense-in-depth concern rather than a direct standalone attack path.

Upgrading to fixed versions and replacing the deprecated SubjectDnX509PrincipalExtractor with SubjectX500PrincipalExtractor is recommended to mitigate this risk and help maintain compliance.

Impact Analysis

This vulnerability can allow an attacker to impersonate another user by exploiting the incorrect handling of malformed X.509 certificate CN values.

If exploited, an attacker could gain unauthorized access to systems or data by appearing as a legitimate user, potentially bypassing authentication controls.

However, exploitation requires compromising the upstream trust mechanism since the affected components operate behind Spring Security's pre-authentication flow.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade Spring Security to the fixed versions available through Enterprise Support for older releases.

Additionally, replace the deprecated SubjectDnX509PrincipalExtractor with SubjectX500PrincipalExtractor as part of the mitigation strategy.

Note that this vulnerability operates behind Spring Security's pre-authentication flow, so ensuring the upstream trust mechanism is secure is also important.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart