CVE-2023-20860

HIGH

Spring Framework <6.0.7 or <5.3.26 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-20860. PoCs published by limo520.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2023-20860, demonstrating a security bypass vulnerability in Spring Framework due to un-prefixed double wildcard patterns. The test case verifies the vulnerability in Spring Boot 3.0.4 and its fix in 3.0.5.

Description

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Exploits (1)

nomisec WORKING POC 2 stars
by limo520 · poc
https://github.com/limo520/CVE-2023-20860

This repository contains a working PoC for CVE-2023-20860, demonstrating a security bypass vulnerability in Spring Framework due to un-prefixed double wildcard patterns. The test case verifies the vulnerability in Spring Boot 3.0.4 and its fix in 3.0.5.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Spring Framework 6.0.0-6.0.6, 5.3.0-5.3.25
No auth needed
Prerequisites: Spring Boot application with vulnerable Spring Framework version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.6384
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

Status published
Products (3)
org.springframework/spring 6.0.0 - 6.0.7Maven
org.springframework/spring-webmvc 6.0.0 - 6.0.7Maven
vmware/spring_framework 5.3.0 - 5.3.26
Published Mar 27, 2023
Tracked Since Feb 18, 2026