CVE-2026-22753

HIGH

Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers

Title source: cna

Description

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-22753

Scores

CVSS v3 7.5

EPSS 0.0025

EPSS Percentile 15.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-693

Status published

Products (2)

org.springframework.security/spring-security-config 7.0.0 - 7.0.5Maven

Spring/Spring Security 7.0.0 - 7.0.4

Published Apr 22, 2026

Tracked Since Apr 22, 2026