HIGHCVE-2026-22731Published Modified CNA vmware
CVE-2026-22731: Authentication Bypass under Actuator Health groups paths
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Metrics
- CVSS v3.1
- 8.2
- Severity
- HIGH
- Fixed in
- 3.4.15
- Affected Products
- 1
Fix available
3.4.153.5.114.0.3
Affected packages
- Spring / Spring Boot< 4.0.3 (from 4.0) · < 3.5.11 (from 3.5) · < 3.4.15 (from 3.4)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NReferences