Search
Find a vulnerability
Search criteria
2 vulnerabilities by Spring Security
CVE-2026-22752 (GCVE-0-2026-22752)
Vulnerability from nvd – Published: 2026-07-16 08:40 – Updated: 2026-07-16 12:16
VLAI
EPSS
VEX
Title
Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata
Summary
Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.
This issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring Security | Spring Authorization Server |
Affected:
7.0.0 , ≤ 7.0.4
(custom)
Affected: 1.5.0 , ≤ 1.5.6 (custom) Affected: 1.4.0 , ≤ 1.4.9 (custom) Affected: 1.3.0 , ≤ 1.3.10 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:15:31.051109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:16:22.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Authorization Server",
"vendor": "Spring Security",
"versions": [
{
"lessThanOrEqual": "7.0.4",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.5.6",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.3.10",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\u003cp\u003eThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.\u003c/p\u003e"
}
],
"value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\n\nThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:40:23.009Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22752"
}
],
"source": {
"advisory": "https://spring.io/security/cve-2026-22752",
"discovery": "EXTERNAL"
},
"title": "Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22752",
"datePublished": "2026-07-16T08:40:23.009Z",
"dateReserved": "2026-01-09T06:55:03.990Z",
"dateUpdated": "2026-07-16T12:16:22.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22752 (GCVE-0-2026-22752)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:40 – Updated: 2026-07-16 12:16
VLAI
EPSS
VEX
Title
Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata
Summary
Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.
This issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring Security | Spring Authorization Server |
Affected:
7.0.0 , ≤ 7.0.4
(custom)
Affected: 1.5.0 , ≤ 1.5.6 (custom) Affected: 1.4.0 , ≤ 1.4.9 (custom) Affected: 1.3.0 , ≤ 1.3.10 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:15:31.051109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:16:22.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Authorization Server",
"vendor": "Spring Security",
"versions": [
{
"lessThanOrEqual": "7.0.4",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.5.6",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.3.10",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\u003cp\u003eThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.\u003c/p\u003e"
}
],
"value": "Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server.\n\nThis issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:40:23.009Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22752"
}
],
"source": {
"advisory": "https://spring.io/security/cve-2026-22752",
"discovery": "EXTERNAL"
},
"title": "Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22752",
"datePublished": "2026-07-16T08:40:23.009Z",
"dateReserved": "2026-01-09T06:55:03.990Z",
"dateUpdated": "2026-07-16T12:16:22.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}