Spring Boot with Actuator: Unauthenticated access to sensitive endpoints

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.2

Spring Boot with Actuator: Unauthenticated access to sensitive endpoints

CVE-2026-22733

Summary

Some Spring Boot applications with Actuator enabled may allow unauthorized access to secure endpoints. This could let attackers access sensitive data or perform actions without being authenticated. To fix, update your Spring Security version to a patched version or reconfigure your Actuator endpoints to use a different path.

Original title

Original description

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

nvd CVSS3.1 8.2

Vulnerability type

CWE-288 Authentication Bypass Using Alternate Path

https://spring.io/security/cve-2026-22733

Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 20 Mar 2026