CVE-2026-22731

HIGH8.2EPSS 0.04%

Spring Boot has an Authentication Bypass under Actuator Health groups paths

Published: 3/20/2026Modified: 4/16/2026

Description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Affected packages (1)

Maven/org.springframework.boot:spring-boot-starter-actuator>= 3.4.0, <= 3.4.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-22731
PATCHhttps://github.com/spring-projects/spring-boot
WEBhttps://spring.io/security/cve-2026-22731