CVE-2026-22731
HIGH8.2EPSS 0.04%Spring Boot has an Authentication Bypass under Actuator Health groups paths
發布日:2026/3/20修改日:2026/4/16
描述
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
受影響套件(1)
- Maven/org.springframework.boot:spring-boot-starter-actuator>= 3.4.0, <= 3.4.13
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |