CVE-2023-34034

CRITICAL

Spring Security 5.6.0-5.6.11, 5.7.0-5.7.8, 5.8.0-5.8.3, 6.0.0-6.0.3, 6.1.0 Security Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-34034. PoCs published by hotblac.

AI-analyzed exploit summary This repository demonstrates CVE-2023-34034, an authorization bypass vulnerability in Spring Security. The PoC includes a Spring Boot application with misconfigured security rules, allowing unauthorized access to admin endpoints.

Description

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

Exploits (1)

nomisec WORKING POC 1 stars
by hotblac · poc
https://github.com/hotblac/cve-2023-34034

This repository demonstrates CVE-2023-34034, an authorization bypass vulnerability in Spring Security. The PoC includes a Spring Boot application with misconfigured security rules, allowing unauthorized access to admin endpoints.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Spring Security (specific version not specified in code)
No auth needed
Prerequisites: Spring Security with misconfigured authorization rules
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.4282
EPSS Percentile 97.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-281
Status published
Products (7)
None/Spring Security Spring Security 5.6.0 - 5.6.11
None/Spring Security Spring Security 5.7.0 - 5.7.9
None/Spring Security Spring Security 5.8.0 - 5.8.4
None/Spring Security Spring Security 6.0.0 - 6.0.4
None/Spring Security Spring Security 6.1.0 - 6.1.1
org.springframework.security/spring-security-config 5.6.0 - 5.6.12Maven
vmware/spring_security 5.6.0 - 5.6.12
Published Jul 19, 2023
Tracked Since Feb 18, 2026