Search

Find a vulnerability

Search criteria

    2 vulnerabilities by Spring Security

    CVE-2026-22752 (GCVE-0-2026-22752)

    Vulnerability from nvd – Published: 2026-07-16 08:40 – Updated: 2026-07-16 12:16
    VLAI
    Title
    Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata
    Summary
    Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server. This issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Spring Security Spring Authorization Server Affected: 7.0.0 , ≤ 7.0.4 (custom)
    Affected: 1.5.0 , ≤ 1.5.6 (custom)
    Affected: 1.4.0 , ≤ 1.4.9 (custom)
    Affected: 1.3.0 , ≤ 1.3.10 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T12:15:31.051109Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T12:16:22.917Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Spring Authorization Server",
              "vendor": "Spring Security",
              "versions": [
                {
                  "lessThanOrEqual": "7.0.4",
                  "status": "affected",
                  "version": "7.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.5.6",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.4.9",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.3.10",
                  "status": "affected",
                  "version": "1.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\u003cp\u003eThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.\u003c/p\u003e"
                }
              ],
              "value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\n\nThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T08:40:23.009Z",
            "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            "shortName": "vmware"
          },
          "references": [
            {
              "url": "https://spring.io/security/cve-2026-22752"
            }
          ],
          "source": {
            "advisory": "https://spring.io/security/cve-2026-22752",
            "discovery": "EXTERNAL"
          },
          "title": "Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "assignerShortName": "vmware",
        "cveId": "CVE-2026-22752",
        "datePublished": "2026-07-16T08:40:23.009Z",
        "dateReserved": "2026-01-09T06:55:03.990Z",
        "dateUpdated": "2026-07-16T12:16:22.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22752 (GCVE-0-2026-22752)

    Vulnerability from cvelistv5 – Published: 2026-07-16 08:40 – Updated: 2026-07-16 12:16
    VLAI
    Title
    Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata
    Summary
    Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server. This issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Spring Security Spring Authorization Server Affected: 7.0.0 , ≤ 7.0.4 (custom)
    Affected: 1.5.0 , ≤ 1.5.6 (custom)
    Affected: 1.4.0 , ≤ 1.4.9 (custom)
    Affected: 1.3.0 , ≤ 1.3.10 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-16T12:15:31.051109Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-16T12:16:22.917Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Spring Authorization Server",
              "vendor": "Spring Security",
              "versions": [
                {
                  "lessThanOrEqual": "7.0.4",
                  "status": "affected",
                  "version": "7.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.5.6",
                  "status": "affected",
                  "version": "1.5.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.4.9",
                  "status": "affected",
                  "version": "1.4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "1.3.10",
                  "status": "affected",
                  "version": "1.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\u003cp\u003eThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.\u003c/p\u003e"
                }
              ],
              "value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\n\nThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T08:40:23.009Z",
            "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
            "shortName": "vmware"
          },
          "references": [
            {
              "url": "https://spring.io/security/cve-2026-22752"
            }
          ],
          "source": {
            "advisory": "https://spring.io/security/cve-2026-22752",
            "discovery": "EXTERNAL"
          },
          "title": "Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "assignerShortName": "vmware",
        "cveId": "CVE-2026-22752",
        "datePublished": "2026-07-16T08:40:23.009Z",
        "dateReserved": "2026-01-09T06:55:03.990Z",
        "dateUpdated": "2026-07-16T12:16:22.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }