Two High-Severity Spring Boot Flaws Expose Actuator Endpoints

Security researchers have issued a double warning for developers using the Spring Boot framework, identifying two high-severity vulnerabilities that could allow attackers to bypass authentication. The flaws, tracked as CVE-2026-22731 and CVE-2026-22733, center on the improper mapping of application endpoints under sensitive infrastructure paths, such as those used by Spring Boot Actuators.

While the Spring team notes that the specific configurations required for these exploits are “rarely occur in production,” the potential impact is high, as they could grant unauthorized access to administrative functions.

The first vulnerability (CVE-2026-22731, CVSS 8.2) involves an authentication bypass when a custom application endpoint is declared under a path already configured for an Actuator Health Group. This occurs when a health group is exposed under an additional path on the main server, creating a collision in how security filters are applied.

“Spring Boot applications with Actuator can be vulnerable to an ‘Authentication Bypass’ vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path”.

Essentially, if a developer maps a sensitive path like /healthz/admin while the /healthz path is already managed as a health group, the security layer may fail to challenge the user for credentials.

The second flaw (CVE-2026-22733, CVSS 8.2) follows a similar pattern but specifically targets applications utilizing CloudFoundry Actuator endpoints. In this scenario, an application is vulnerable if an endpoint requiring authentication is declared under the path used by the CloudFoundry Actuators, such as /cloudfoundryapplication/admin.

“Spring Boot applications with Actuator can be vulnerable to an ‘Authentication Bypass’ vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints”.

Both vulnerabilities highlight a core architectural risk: mapping custom application logic under infrastructure-level endpoints. The Spring team explicitly warns that this practice “is not recommended by the Spring team and that doing so is likely to interfere with other configurations and cause behavior problems”.

The vulnerabilities are widespread across several major release branches of Spring Boot, including the latest 4.0 version and several legacy iterations:

• Spring Boot 4.0.0 to 4.0.3
• Spring Boot 3.5.0 to 3.5.11
• Spring Boot 3.4.0 to 3.4.14
• Spring Boot 3.3.0 to 3.3.17
• Spring Boot 2.7.0 to 2.7.31

The primary defense against these bypasses is to update to the latest fixed versions of the framework. Additionally, developers should ensure that application endpoints are strictly separated from Actuator and other infrastructure paths.