View all Blog Posts
Security
Mar 26, 2026

March 2026 Spring CVE Roundup: Six New Vulnerabilities Patched Across the Spring Ecosystem

Spring Security Alert: 6 Critical CVEs Impact Boot, Framework, and Legacy EOL Systems

Give me the TL;DR
March 2026 Spring CVE Roundup: Six New Vulnerabilities Patched Across the Spring Ecosystem
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

 Severity: Critical (1), High (2), Medium (2), Low (1)
Affected Projects: Spring Boot, Spring Security, Spring Framework, Spring Cloud Config

On March 19–20, 2026, the Spring team disclosed six new security advisories spanning Spring Boot, Spring Security, Spring Framework, and Spring Cloud Config. The batch covers a range of severities, from a Critical header-omission flaw in Spring Security down to a Low SSE injection issue in Spring Framework, and affects a wide swath of versions across the Spring ecosystem, including many that have already reached end of life.

This post is a high-level summary of what was disclosed, which components and versions are affected, and where to find more detail on each issue.

The Six CVEs at a Glance

CVE-2026-22732, Critical | Spring Security

Artifact: spring-security-web
NES Versions Affected: 4.2.x, 5.5.x, 5.7.x, 5.8.x, 6.2.x, 6.3.x, 6.4.x

This is the most severe issue in the batch. A flaw in Spring Security's OnCommittedResponseWrapper class causes security response headers, including X-Frame-Options, Cache-Control, Content-Security-Policy, and others, to be silently omitted under certain conditions. When Content-Length is set via setHeader, setIntHeader, or addIntHeader, the wrapper fails to track the response body length correctly, causing the response to commit before Spring Security can write its security headers. The result: your application may be running without the browser-side protections you configured, with no visible error.

This affects every actively maintained Spring Security branch, and extends further into a long list of EOL versions. If you're running any EOL Spring Security release, no upstream patch exists.

🔗 HeroDevs Vulnerability Directory: CVE-2026-22732
 📖 Deep Dive: Spring Security Silently Drops HTTP Security Headers
 🛠️ Developer Docs: Check Your Exposure to CVE-2026-22732

CVE-2026-22731, High | Spring Boot

Artifact: spring-boot-actuator-autoconfigure
NES Versions Affected: 3.4.x

An authentication bypass in Spring Boot Actuator's EndpointRequest request matcher. When an application configures a health group with an additional path on the main server, the EndpointRequest matcher generates overly broad patterns. If an application endpoint requiring authentication is mapped under one of those subpaths, the permissive Actuator security configuration takes precedence, and an unauthenticated attacker can access the protected endpoint. Note that this CVE is related to but distinct from CVE-2026-22733, which covers a similar bypass in the CloudFoundry Actuator path.

🔗 HeroDevs Vulnerability Directory: CVE-2026-22731
 📖 Blog: Spring Boot Authentication Bypass, Two New CVEs Enterprise Teams Cannot Afford to Ignore

CVE-2026-22733, High | Spring Boot

Artifact: spring-boot-actuator
NES Versions Affected: 1.5.x, 2.5.x, 2.7.x, 3.2.x, 3.3.x, 3.4.x

A second authentication bypass in Spring Boot Actuator, this time affecting the CloudFoundry Actuator integration. The CloudFoundry handler mapping only registered handlers for known Actuator endpoints under /cloudfoundryapplication. Requests to unregistered paths under that namespace were not handled and could fall through to other handler mappings in the application, bypassing CloudFoundry authentication checks and the intended Spring Security restrictions. Applications with catch-all request mappings (e.g., /**) are particularly exposed.

This issue has a notable EOL footprint, reaching all the way back to Spring Boot 1.5.x.

🔗 HeroDevs Vulnerability Directory: CVE-2026-22733
 📖 Blog: Spring Boot Authentication Bypass, Two New CVEs Enterprise Teams Cannot Afford to Ignore

CVE-2026-22737, Medium | Spring Framework

Artifact: spring-webmvc
NES Versions Affected: 4.3.x, 5.3.x, 6.1.x

A path traversal vulnerability in ScriptTemplateView. The getResource(String location) method concatenates a resource loader path with the provided location parameter without performing path traversal checks or verifying that the resolved resource falls within the configured base path. An attacker who can influence the template location may be able to read arbitrary files accessible to the application process. Affects applications using Spring MVC or Spring WebFlux's script template view rendering.

🔗 HeroDevs Vulnerability Directory: CVE-2026-22737

CVE-2026-22739, Medium | Spring Cloud Config

Artifact: spring-cloud-config-server
NES Versions Affected: 3.0.x, 3.1.x, 4.1.x, 4.2.x

A medium-severity vulnerability in Spring Cloud Config Server affecting multiple legacy release lines. Spring Cloud Config is widely deployed as a centralized configuration service in microservices architectures, making it a high-value target even for moderate-severity issues.

🔗 HeroDevs Vulnerability Directory: CVE-2026-22739

CVE-2026-22735, Low | Spring Framework

Artifact: spring-web
NES Versions Affected: 4.3.x, 5.3.x, 6.1.x

A low-severity Server-Sent Events (SSE) injection vulnerability. The SseEmitter in Spring MVC and ServerSentEvent/ServerSentEventHttpMessageWriter in Spring WebFlux do not validate id and event field values for the presence of newline characters. An attacker who can control data streamed to other connected clients could inject newline characters to corrupt the SSE event stream, potentially manipulating application state or presenting malicious content to connected users.

🔗 HeroDevs Vulnerability Directory: CVE-2026-22735

EOL Versions: No Upstream Patch Available

A recurring theme across all six of these advisories is the EOL exposure gap. The upstream Spring project provides fixes only for currently supported release lines. For every one of these CVEs, a significant portion of the affected version range consists of end-of-life versions that will not receive an official patch.

If your organization is running any of the following, no community fix exists for these vulnerabilities:

  • Spring Boot 1.5.x, 2.5.x, 2.7.x, 3.2.x, 3.3.x, 3.4.x
  • Spring Security 4.2.x, 5.5.x, 5.7.x, 5.8.x, 6.2.x, 6.3.x, 6.4.x
  • Spring Framework 4.3.x, 5.3.x, 6.1.x
  • Spring Cloud Config 3.0.x, 3.1.x, 4.1.x, 4.2.x

HeroDevs NES for Spring delivers fully secure versions for all affected EOL versions as drop-in replacements, no migration required. Each of the vulnerabilities above has been analyzed and patched within NES.

👉 Learn more about NES for Spring

Quick Reference

Spring CVE Impact by Project

CVE Severity Project Artifact NES Versions Affected
CVE-2026-22732 Critical Spring Security spring-security-web 4.2.x, 5.5.x, 5.7.x, 5.8.x, 6.2.x, 6.3.x, 6.4.x
CVE-2026-22731 High Spring Boot spring-boot-actuator-autoconfigure 3.4.x
CVE-2026-22733 High Spring Boot spring-boot-actuator 1.5.x, 2.5.x, 2.7.x, 3.2.x, 3.3.x, 3.4.x
CVE-2026-22737 Medium Spring Framework spring-webmvc 4.3.x, 5.3.x, 6.1.x
CVE-2026-22739 Medium Spring Cloud Config spring-cloud-config-server 3.0.x, 3.1.x, 4.1.x, 4.2.x
CVE-2026-22735 Low Spring Framework spring-web 4.3.x, 5.3.x, 6.1.x
Share via:
facebook
LinkedIn
X (twitter)
Table of Contents
Read full article
Author
HeroDevs
Thought Leadership
Open Source Insights Delivered Monthly

Related Blog Posts

The LiteLLM Supply Chain Attack: What Happened, Why It Matters, and What to Do Next
Security
Mar 26, 2026
The LiteLLM Supply Chain Attack: What Happened, Why It Matters, and What to Do Next
How a compromised AI dependency turned into a widespread credential-stealing attack—and what developers and organizations must do now.
Node.js 20 Goes EOL: How to Stay Secure Without a Full Migration
Products
Mar 25, 2026
Node.js 20 Goes EOL: How to Stay Secure Without a Full Migration
What Node.js 20 end-of-life means for security, compliance, and how to stay protected without rushing a migration
CVE-2026-29057 and CVE-2026-27980: Two New Vulnerabilities Affecting End-of-Life Next.js
Security
Mar 25, 2026
CVE-2026-29057 and CVE-2026-27980: Two New Vulnerabilities Affecting End-of-Life Next.js
How HeroDevs NES secures end-of-life Next.js applications against DoS and request smuggling threats

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.