CVE-2026-22733
Authentication Bypass vulnerability in spring-boot-starter-actuator (Maven)
What is CVE-2026-22733 About?
This vulnerability allows for authentication bypass in Spring Boot applications using Actuator when an authenticated endpoint is placed under a CloudFoundry Actuator path. Attackers can gain unauthorized access to protected resources, which is relatively easy to exploit given the specific configuration. The impact is significant, as it circumvents security controls designed to protect sensitive application functionality.
Affected Software
- org.springframework.boot:spring-boot-starter-actuator
- >=3.4.0, <=3.4.13
- >=3.5.0, <3.5.12
- <=2.7.18
- >=4.0.0-M1, <4.0.4
- >=3.0.0, <=3.3.13
Technical Details
The vulnerability arises in Spring Boot applications configured with Actuator when an application endpoint requiring authentication is declared under the same path used by CloudFoundry Actuator endpoints. The Actuator's CloudFoundry integration might incorrectly handle or prioritize access controls, leading to a situation where the authentication requirement for the application endpoint is bypassed. An attacker identifies the exposed authenticated application endpoint under the Actuator path and can access it without proper credentials, effectively sidestepping the intended security mechanisms. This allows access to functionality that should otherwise be protected.
What is the Impact of CVE-2026-22733?
Successful exploitation may allow attackers to bypass authentication mechanisms, gain unauthorized access to protected application functionalities, and potentially manipulate data or trigger sensitive operations not intended for public access.
What is the Exploitability of CVE-2026-22733?
Exploitation of this vulnerability requires specific configuration where a sensitive application endpoint is placed under a CloudFoundry Actuator path. It is likely a remote attack, requiring no prior authentication or specific privileges, making it accessible to unauthenticated attackers. The complexity is moderate, as it involves identifying the misconfigured paths. Risk factors include exposure of Actuator endpoints and the presence of sensitive application-specific functionality on those paths.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-22733?
Available Upgrade Options
- org.springframework.boot:spring-boot-starter-actuator
- >=3.5.0, <3.5.12 → Upgrade to 3.5.12
- org.springframework.boot:spring-boot-starter-actuator
- >=4.0.0-M1, <4.0.4 → Upgrade to 4.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-22733?
Similar Vulnerabilities: CVE-2026-22731 , CVE-2022-22965 , CVE-2021-22002 , CVE-2020-5407 , CVE-2019-3797
