CVE-2026-22731

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

19/03/2026

Last modified:

20/03/2026

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.<br /> This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.<br /> This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 8.20 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): Low
Availability (A): None

Base Score 3.x

8.20

Severity 3.x

HIGH

References to Advisories, Solutions, and Tools

https://spring.io/security/cve-2026-22731