CVE-2026-22731
Authentication Bypass vulnerability in spring-boot-starter-actuator (Maven)
What is CVE-2026-22731 About?
This vulnerability enables authentication bypass in Spring Boot applications with Actuator when an authenticated endpoint is declared under a path conflicting with a Health Group additional path. Attackers can gain unauthorized access to protected resources, which is relatively easy to exploit given the specific configuration. The impact is significant, as it circumvents security controls designed to protect sensitive application functionality.
Affected Software
- org.springframework.boot:spring-boot-starter-actuator
- >=3.5.0, <3.5.12
- >=4.0.0-M1, <4.0.4
- >=3.4.0, <=3.4.13
Technical Details
The vulnerability affects Spring Boot applications configured with Actuator. It occurs when an application endpoint that requires authentication is declared under a specific path that has also been configured as an 'additional path' for a Health Group within Actuator. This overlap or conflict in path configuration leads to a situation where the authentication mechanism for the application endpoint is bypassed. The Actuator's handling of Health Group paths might supersede or fail to properly enforce the application's authentication requirements for that specific shared path. An attacker, upon identifying such a misconfiguration, can access the normally protected endpoint without providing valid credentials, thereby achieving an authentication bypass.
What is the Impact of CVE-2026-22731?
Successful exploitation may allow attackers to bypass authentication mechanisms, gain unauthorized access to protected application functionalities, and potentially manipulate data or trigger sensitive operations not intended for public access.
What is the Exploitability of CVE-2026-22731?
Exploitation of this vulnerability requires identifying an application endpoint that requires authentication and is concurrently declared under a Health Group's additional path in a Spring Boot Actuator setup. This is a remote attack, and typically requires no prior authentication or specific privileges, making it accessible to unauthenticated attackers. The complexity is moderate, as it involves an understanding of Actuator path configurations and identifying specific overlaps. Risk factors include the external exposure of Actuator endpoints and any critical application functionality exposed through the vulnerable path.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-22731?
Available Upgrade Options
- org.springframework.boot:spring-boot-starter-actuator
- >=3.5.0, <3.5.12 → Upgrade to 3.5.12
- org.springframework.boot:spring-boot-starter-actuator
- >=4.0.0-M1, <4.0.4 → Upgrade to 4.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-22731?
Similar Vulnerabilities: CVE-2026-22733 , CVE-2022-22965 , CVE-2021-22002 , CVE-2020-5407 , CVE-2019-3797
