By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-22732

Incorrectly Configured Access Control
Affects
Spring Security
in
Spring
No items found.
Versions
>=4.0.2 <6.5.9, >=7.0.0 <7.0.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications built on the Spring Framework. It provides comprehensive security services for Java EE-based enterprise software applications, including authentication, authorization, and protection against common exploits.

A critical-severity vulnerability (CVE-2026-22732) has been identified in Spring Security's OnCommittedResponseWrapper class. The wrapper fails to override the setHeader, setIntHeader, and addIntHeader methods from HttpServletResponse, which means that when Content-Length is set using any of these methods, the response body length is not tracked. This causes the HTTP response to be committed (sent to the client) before Spring Security can write its security headers, resulting in security-critical response headers being silently omitted. Missing headers can include CSRF tokens, session cookie security flags, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and other protections, potentially leading to authentication bypass, clickjacking, cross-site scripting, or other attacks that depend on the absence of these defenses.

Security Misconfiguration can happen at any level of an application stack, including missing appropriate security hardening or improperly configured permissions. The application might be vulnerable if the application is missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.

This issue affects multiple versions of Spring Security.

Details

Module Info

Vulnerability Info

This critical-severity vulnerability is found in the OnCommittedResponseWrapper class within the spring-security-web module across all published versions of Spring Security prior to the fix.

OnCommittedResponseWrapper is a core component of Spring Security's response handling pipeline. It wraps HttpServletResponse to intercept response operations, ensuring that security headers and session attributes are written before the response is committed (i.e., flushed to the client). Once a response is committed, no further headers can be added.

The wrapper tracks the Content-Length of the response body to detect when the response is about to be committed. However, the HttpServletResponse interface provides four methods for setting HTTP headers:

  • addHeader(String name, String value) was overridden and tracked Content-Length
  • setHeader(String name, String value) was NOT overridden
  • setIntHeader(String name, int value) was NOT overridden
  • addIntHeader(String name, int value) was NOT overridden

Because three of these four methods were not overridden, any code path that sets the Content-Length header via setHeader, setIntHeader, or addIntHeader bypasses Spring Security's body length tracking entirely. When this happens, the underlying servlet container commits the response based on the Content-Length value it received directly, without Spring Security being aware. The response is flushed to the client before Spring Security's filter chain has a chance to write security response headers.

This was demonstrated in a real-world scenario reported in Spring Framework issue #36381. When Spring Framework 7.0.5 optimized its internal header handling (changing from addHeader to setHeader for Content-Length), Spring Security's response headers were silently dropped. The affected headers included:

- X-Content-Type-Options: nosniff
- X-XSS-Protection: 0
- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- X-Frame-Options: DENY
- Content-Security-Policy: default-src 'self'

The loss of these headers can have severe consequences: X-Frame-Options and Content-Security-Policy protect against clickjacking and cross-site scripting; Cache-Control headers prevent sensitive data from being cached; CSRF tokens delivered via headers would be missing, potentially allowing cross-site request forgery attacks.

The fix adds overrides for the three missing methods. Each override calls a new private helper method checkContentLengthHeader that detects when Content-Length is being set and delegates to setContentLength() to enable body length tracking, consistent with the existing behavior in addHeader.

Mitigation

Only recent versions of Spring Security receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Wyfrel

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
ID
CVE-2026-22732
PROJECT Affected
Spring Security
Versions Affected
>=4.0.2 <6.5.9, >=7.0.0 <7.0.4
NES Versions Affected
Published date
March 20, 2026
≈ Fix date
March 20, 2026
Fixed in
NES for Spring
Category
Incorrectly Configured Access Control
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.