{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22732", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.498Z", "datePublished": "2026-03-19T22:47:38.199Z", "dateUpdated": "2026-03-21T04:01:50.715Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T22:47:38.199Z"}, "title": "Under Some Conditions Spring Security HTTP Headers Are not Written", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0", "lessThanOrEqual": "5.7.21", "versionType": "custom"}, {"status": "affected", "version": "5.8.0", "lessThanOrEqual": "5.8.23", "versionType": "custom"}, {"status": "affected", "version": "6.3.0", "lessThanOrEqual": "6.3.14", "versionType": "custom"}, {"status": "affected", "version": "6.4.0", "lessThanOrEqual": "6.4.14", "versionType": "custom"}, {"status": "affected", "version": "6.5.0", "lessThanOrEqual": "6.5.8", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.\u00a0\nThis issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.&nbsp;<br><p>This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22732"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-425", "lang": "en", "description": "CWE-425 Direct Request ('Forced Browsing')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-22732"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T04:01:50.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T15:01:06.718510Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-425", "description": "CWE-425 Direct Request ('Forced Browsing')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:01:01.327Z"}}], "cna": {"title": "Under Some Conditions Spring Security HTTP Headers Are not Written", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0", "versionType": "custom", "lessThanOrEqual": "5.7.21"}, {"status": "affected", "version": "5.8.0", "versionType": "custom", "lessThanOrEqual": "5.8.23"}, {"status": "affected", "version": "6.3.0", "versionType": "custom", "lessThanOrEqual": "6.3.14"}, {"status": "affected", "version": "6.4.0", "versionType": "custom", "lessThanOrEqual": "6.4.14"}, {"status": "affected", "version": "6.5.0", "versionType": "custom", "lessThanOrEqual": "6.5.8"}, {"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22732"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.\u00a0\nThis issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.", "supportingMedia": [{"type": "text/html", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.&nbsp;<br><p>This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-19T22:47:38.199Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22732", "state": "PUBLISHED", "dateUpdated": "2026-03-21T04:01:50.715Z", "dateReserved": "2026-01-09T06:54:41.498Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T22:47:38.199Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.\u00a0\nThis issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3."}], "id": "CVE-2026-22732", "lastModified": "2026-03-20T15:16:15.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.253", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22732"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers", "id": "2449306", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449306"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-166", "details": ["A flaw was found in Spring Security. When applications using Spring Security specify HTTP response headers for servlet applications, these headers may not be written. This can lead to a bypass of security policies or information disclosure, potentially allowing an attacker to gain unauthorized access to sensitive data or compromise the integrity of the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-22732", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "org.apache.servicemix.bundles.spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-03-19T22:47:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22732\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22732\nhttps://spring.io/security/cve-2026-22732"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.7.0,5.7.21]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.8.0,5.8.23]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.3.0,6.3.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.4.0,6.4.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.5.0,6.5.8]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-20T12:23:19.559334+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to a version released after 7.0.3 (or to the latest stable release).", "If an immediate upgrade is not possible, manually configure critical security headers\u2014such as X\u2011Frame\u2011Options, X\u2011Content\u2011Type\u2011Options, and Content\u2011Security\u2011Policy\u2014in your application or servlet configuration to ensure they are always emitted.", "Continuously monitor application logs and traffic for abnormal header behavior and verify that headers are consistently present on all responses."], "summary": {"action": "Patch", "impact": "Security feature bypass due to missing HTTP response headers"}, "threat_synthesis": {"affected_systems": "Spring Security versions 5.7.0\u20115.7.21, 5.8.0\u20115.8.23, 6.3.0\u20116.3.14, 6.4.0\u20116.4.14, 6.5.0\u20116.5.8, and 7.0.0\u20117.0.3 are vulnerable. All affected releases are identified by the vendor as part of the Spring Security product suite.", "description_and_impact": "Spring Security may fail to write configured HTTP response headers for servlet applications under certain conditions. This behavior, categorized as CWE\u2011277, allows an attacker to bypass browser security mechanisms such as click\u2011jacking protection, MIME\u2011sniffing prevention, and other header\u2011based policies, potentially enabling further exploitation of the application. The ability to omit security headers can directly compromise user confidentiality, integrity, and availability of the web application.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.1, indicating critical severity. EPSS data is currently not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote, browser\u2011based request to a servlet endpoint that triggers the missing header condition, allowing an attacker to leverage the omission for click\u2011jacking or MIME\u2011sniffing attacks. No public exploitation exploits have been observed, but the high CVSS score signifies a high risk to exposed applications."}}}}, "created": "2026-03-20T08:54:36.471406+00:00", "updated": "2026-03-20T14:14:44.173908+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"]}