7 Critical Vulnerabilities Threaten Spring Security 7.0

The Spring Security team has issued a series of security advisories detailing seven distinct vulnerabilities impacting the widely used authentication and authorization framework. While several flaws affect older versions, the recently released Spring Security 7.0 is at the center of the storm, being susceptible to nearly every newly disclosed threat.

From high-severity metadata validation failures to authorization bypasses, these vulnerabilities range from “Critical” to “Low” severity, necessitating immediate attention from developers and system administrators.

The most severe of the disclosures is CVE-2026-22752, carrying a CVSS score of 9.6. This vulnerability resides in the Spring Security Authorization Server when Dynamic Client Registration is enabled.

Insufficient validation of certain client metadata fields allows an attacker with a valid Initial Access Token to register a malicious client. Depending on the configuration, this can lead to Stored Cross-Site Scripting (XSS), Privilege Escalation, or Server-Side Request Forgery (SSRF).

Equally concerning for Spring Security 7.0 users are two authorization bypass flaws, both rated 8.1:

• CVE-2026-22754: XML authorization rules fail to correctly include the servlet path in path matching, meaning intended security controls may not be exercised.
• CVE-2026-22753: A similar issue occurs in HttpSecurity#securityMatchers when using a PathPatternRequestMatcher.Builder to prepend a servlet path.

Two flaws target the way Spring Security identifies users, potentially leading to unauthorized access:

• X.509 Impersonation (CVE-2026-22747): The SubjectX500PrincipalExtractor fails to correctly handle certain malformed Common Name (CN) values in certificates. This can lead to the framework reading the wrong username, allowing an attacker to impersonate another user.
• User Attribute Enumeration (CVE-2026-22746): A timing attack defense bypass in the DaoAuthenticationProvider allows an attacker to determine if a user is disabled, expired, or locked.

Rounding out the list are two moderate-to-low severity issues:

• The “One-Time” Token Race (CVE-2026-22751): Applications using JdbcOneTimeTokenService are vulnerable to a TOCTOU (Time-of-check Time-of-use) race condition. An attacker can use a single-use token multiple times by sending concurrent requests, establishing several authenticated sessions.
• JWT Misconfiguration (CVE-2026-22748): A potential security misconfiguration exists when using withIssuerLocation for JWT decoding. Developers may mistakenly assume issuer validation is added automatically; recent maintenance versions now add this by default to prevent bypasses.

The Spring Security team strongly recommends that users of affected versions upgrade immediately to the corresponding fixed versions:

• Spring Security 7.0.x users should upgrade to 7.0.5.
• Spring Security 6.5.x users should upgrade to 6.5.10.
• Spring Security 6.4.x users should upgrade to 6.4.16.

For those unable to upgrade immediately, workarounds exist for the path matching issues—such as placing the servlet path directly in the URL pattern —but these should be considered temporary measures until a full patch is applied.