{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22747", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.990Z", "datePublished": "2026-04-22T05:08:41.318Z", "dateUpdated": "2026-04-23T03:56:11.308Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:08:41.318Z"}, "title": "Unauthorized User Impersonation when Using X.509 Client Certificates", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security.\u00a0SubjectX500PrincipalExtractor\u00a0does not correctly handle certain malformed X.509 certificate\u00a0CN\u00a0values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\nThis issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security.&nbsp;<code>SubjectX500PrincipalExtractor</code><span>&nbsp;</span><span>does not correctly handle certain malformed X.509 certificate</span><span>&nbsp;</span><code>CN</code><span>&nbsp;</span><span>values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.</span><br><p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22747"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-297", "lang": "en", "description": "CWE-297 Improper Validation of Certificate with Host Mismatch"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-22747"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T03:56:11.308Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T15:42:14.275423Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-297", "description": "CWE-297 Improper Validation of Certificate with Host Mismatch"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:52:52.728Z"}}], "cna": {"title": "Unauthorized User Impersonation when Using X.509 Client Certificates", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22747"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security.\u00a0SubjectX500PrincipalExtractor\u00a0does not correctly handle certain malformed X.509 certificate\u00a0CN\u00a0values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\nThis issue affects Spring Security: from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Spring Spring Security.&nbsp;<code>SubjectX500PrincipalExtractor</code><span>&nbsp;</span><span>does not correctly handle certain malformed X.509 certificate</span><span>&nbsp;</span><code>CN</code><span>&nbsp;</span><span>values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.</span><br><p>This issue affects Spring Security: from 7.0.0 through 7.0.4.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:08:41.318Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22747", "state": "PUBLISHED", "dateUpdated": "2026-04-22T16:00:15.525Z", "dateReserved": "2026-01-09T06:55:03.990Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-22T05:08:41.318Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B8A5767-EB43-4E11-8E93-9324B70F7060", "versionEndExcluding": "7.0.5", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security.\u00a0SubjectX500PrincipalExtractor\u00a0does not correctly handle certain malformed X.509 certificate\u00a0CN\u00a0values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\nThis issue affects Spring Security: from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22747", "lastModified": "2026-04-24T14:18:56.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T06:16:03.933", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22747"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-297"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-22T07:05:40.145083+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to version 7.0.5 or later to apply the fix for the certificate parsing bug", "If an upgrade is not feasible immediately, disable X.509 client certificate authentication in the affected application", "Implement additional validation of the X.509 certificate\u2019s CN field before it is used for authentication"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized User Impersonation"}, "threat_synthesis": {"affected_systems": "Spring Security, versions 7.0.0 through 7.0.4.", "description_and_impact": "A flaw in Spring Security\u2019s SubjectX500PrincipalExtractor allows a malformed Common Name (CN) field in an X.509 client certificate to be parsed incorrectly. The component can read an unintended value as the authenticated username, enabling an attacker to impersonate any user for whom a valid certificate is not required.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.8. EPSS data is not available, and it is not listed in the CISA KEV catalog. Exploitation requires an application that accepts X.509 client certificates. An attacker would need to supply a specially crafted certificate; if successful, the victim\u2019s session would be bound to the forged identity, allowing access to resources they normally could not reach. No public exploit is currently known, but the nature of the attack vector and the moderate CVSS rating suggests that it could be actively leveraged in targeted or automated attacks."}}}}, "created": "2026-04-22T07:15:11.666370+00:00", "updated": "2026-04-22T11:44:46.279324+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"], "weaknesses": ["CWE-287", "CWE-374"]}