The Silent Leak: Critical 9.1 CVSS Spring Security Flaw Strips Away Vital HTTP Headers

A critical-severity security flaw has been identified in Spring Security, the industry-standard framework for securing Java-based enterprise applications. The vulnerability, tracked as CVE-2026-22732 with a CVSS score of 9.1, reveals a critical failure in how the framework writes security-essential HTTP response headers under certain conditions.

This “Critical” rated oversight poses a significant risk to the confidentiality of user data, potentially allowing sensitive information to be leaked through public or browser caching mechanisms.

The vulnerability centers on the framework’s core responsibility: ensuring that protective HTTP headers are consistently applied to outgoing traffic. In specific servlet application configurations, Spring Security may fail to write these headers entirely.

“When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written”.

The absence of these headers—such as Cache-Control, Pragma, and X-Content-Type-Options—strips away a vital layer of defense. Without these instructions, browsers and intermediary proxy servers may inadvertently cache private pages, making them accessible to unauthorized users or subsequent visitors on a shared machine.

The primary danger of this flaw is the exposure of sensitive data via caching mechanisms. However, the advisory warns that the impact could be broader.

“This can open up applications to various attacks including exposing sensitive data via caching mechanisms”.

Beyond cache poisoning and information disclosure, the lack of standard security headers can leave applications vulnerable to clickjacking, cross-site scripting (XSS) via MIME-sniffing, and other web-based attacks that Spring Security is typically designed to prevent.

The vulnerability is widespread, affecting multiple major release branches of Spring Security, including the latest 7.0 version and several legacy versions still in active use:

• Spring Security 7.0.0 to 7.0.3
• Spring Security 6.5.0 to 6.5.8
• Spring Security 6.4.0 to 6.4.14
• Spring Security 6.3.0 to 6.3.14
• Spring Security 5.8.0 to 5.8.23
• Spring Security 5.7.0 to 5.7.21

Older, unsupported versions are also likely to be affected by this flaw.

The Spring team has released immediate patches to address this vulnerability. Organizations are urged to upgrade to the corresponding fixed versions based on their current release branch: