By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-22731

Authorization Bypass
Affects
Spring Boot
in
Spring
No items found.
Versions
>=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.3
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Boot is the most widely used Java framework for building production-grade applications with minimal configuration. It provides embedded servers, auto-configuration, and production-ready features including Actuator endpoints for application monitoring and management.

A high-severity authentication bypass vulnerability (CVE-2026-22731) has been identified in Spring Boot's Actuator EndpointRequest request matcher. When an application configures a health group to be exposed under an additional path on the main server, the EndpointRequest matcher generates overly broad patterns that can match subpaths beneath the configured health group path. If the application also maps an application endpoint that requires authentication under one of these subpaths, the actuator security configuration (which typically permits unauthenticated access to health checks) takes precedence, allowing an unauthenticated remote attacker to access the protected endpoint.

Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

This issue affects Spring Boot versions 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.3.

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in the EndpointRequest class within the spring-boot-actuator-autoconfigure module, affecting both the Servlet and Reactive variants.

Spring Boot Actuator allows applications to define health groups and expose them at additional paths using configuration properties such as:

management.endpoint.health.group.mygroup.include=*
management.endpoint.health.group.mygroup.additional-path=server:/healthz

The EndpointRequest class is commonly used in Spring Security configurations to create request matchers for actuator endpoints. These matchers are then used to define security rules, such as permitting unauthenticated access to health endpoints.

An application is vulnerable when all of the following conditions are true:

  • The application has the Actuator dependency on the classpath
  • The application declares a custom health group with management.endpoint.health.group.<name>.include
  • The health group is exposed under an additional path on the main server, such as management.endpoint.health.group.<name>.additional-path=server:/healthz
  • The application maps an application endpoint that requires authentication under a subpath of the health group's additional path, such as /healthz/admin

In the vulnerable code, the createDelegate method in the EndpointRequest inner matcher class collected all additional health group paths into a LinkedHashSet<String> and then passed them to a separate getDelegateMatchers() method. This two-step process produced matchers that were overly broad, matching not only the configured path itself (e.g., /healthz) but also subpaths beneath it (e.g., /healthz/admin).

Vulnerable code (Servlet variant):

Set<String> paths = this.endpoints.stream()
    .filter(Objects::nonNull)
    .map(this::getEndpointId)
    .flatMap((endpointId) -> streamAdditionalPaths(endpoints, endpointId))
    .collect(Collectors.toCollection(LinkedHashSet::new));
List<RequestMatcher> delegateMatchers = getDelegateMatchers(
    requestMatcherFactory, matcherProvider, paths, this.httpMethod);

Note: The Spring team states that mapping application endpoints under infrastructure endpoints like Actuators is not recommended and is likely to cause behavioral problems. While the severity is high, the specific configuration pattern required for exploitation is expected to be uncommon in production environments.

This CVE is related to, but distinct from, CVE-2026-22733, which addresses a similar authentication bypass under Actuator CloudFoundry endpoints. The two CVEs have different preconditions and affect different version ranges.

Mitigation

Only recent versions of Spring Boot receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Boot.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Gyu-hyeok Lee (g2h) (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-22731
PROJECT Affected
Spring Boot
Versions Affected
>=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.3
NES Versions Affected
Published date
March 20, 2026
≈ Fix date
March 19, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.