Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending reques...

ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +2224 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-actuator (>=3.4.0 <=3.5.11)

org.springframework.boot:spring-boot-actuator MAVEN version =3.4.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.1.0, =0.8.2 - cc.zzzyu.nacos:nacos-ai =3.1.1 - cc.zzzyu.nacos:nacos-cmdb =3.1.1 - cc.zzzyu.nacos:nacos-config =3.1.1 - cc.zzzyu.nacos:nacos-console =3.1.1...

ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +2146 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=3.4.0 <=3.5.11)

org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =3.4.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.1.0, =0.8.2 - cc.zzzyu.nacos:nacos-ai =3.1.1 - cc.zzzyu.nacos:nacos-cmdb =3.1.1 - cc.zzzyu.nacos:nacos-config =3.1.1 -...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +711 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=4.0.0-M1 <=4.0.3)

org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.2.1 and more Source cves: CVE-2026-22731 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending reques...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +770 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-actuator (>=4.0.0-M1 <=4.0.3)

org.springframework.boot:spring-boot-actuator MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.2.1 and more Source cves: CVE-2026-22731 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701840...

ai.ancf.lmos:arc-runner (>=0.1.1 <=0.114.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.6.0) +4667 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-actuator (>=3.0.0 <=3.5.11)

org.springframework.boot:spring-boot-actuator MAVEN version =3.0.0, =0.1.1, =0.0.4, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =cloud-0.1, =0.1.0, =0.0.1, =7.0.0, =1.1.0, =3.4.0 and more Source cves: CVE-2026-22733 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701836...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +770 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-actuator (>=4.0.0-M1 <=4.0.3)

org.springframework.boot:spring-boot-actuator MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.2.1 and more Source cves: CVE-2026-22733 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701836...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +711 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=4.0.0-M1 <=4.0.3)

org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.2.1 and more Source cves: CVE-2026-22733 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701...

ai.ancf.lmos:arc-runner (>=0.1.1 <=0.114.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.6.0) +4205 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=3.0.0 <=3.5.11)

org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =3.0.0, =0.1.1, =0.0.4, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =cloud-0.1, =0.0.1, =7.0.0, =1.1.0, =2.3.0, =3.4.0 and more Source cves: CVE-2026-22733 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701...

ch.admin.bit.jeap.jme:jme-spring-boot-integration-test-it (>=1.0.0 <=1.0.1), ch.admin.bit.jeap:jeap-archrepo-instance (>=4.17.0 <=4.22.0) +1046 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-starter-actuator (>=3.5.0 <=3.5.11)

org.springframework.boot:spring-boot-starter-actuator MAVEN version =3.5.0, =1.0.0, =4.17.0, =4.17.0, =4.17.0, =3.14.0, =3.14.0, =3.14.0, =0.0.1, =0.0.13, =0.0.1, =0.0.1, =2.43.0, =4.14.0, =4.14.0, =4.14.0, =4.18.0 and more Source cves: CVE-2026-22731 Source advisory: OSV:GHSA-8HFC-FQ58-R658...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-runner (>=0.114.0 <=0.120.0) +1408 more potentially affected by CVE-2026-22735 via org.springframework:spring-webflux (>=6.2.0 <=6.2.16)

org.springframework:spring-webflux MAVEN version =6.2.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.6 - ai.telosforge:kimaira-util-webclient =1.2.6 and more Source cves: CVE-2026-22735 Source advisory:...

ai.langsa:ccaas-starter (=cloud-0.3), au.csiro.pathling:fhir-server (>=7.0.0 <=7.1.0) +2736 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-starter-actuator (>=3.0.0 <=3.3.13)

org.springframework.boot:spring-boot-starter-actuator MAVEN version =3.0.0, =7.0.0, =2.10.0, =3.6.0, =3.3.0, =2.10.0, =2.10.0, =2.10.0, =3.0.0, =3.3.0, =3.3.0, =3.3.0, =3.3.0, =3.4.0 and more So...

ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +1033 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-starter-actuator (>=3.4.0 <=3.4.13)

org.springframework.boot:spring-boot-starter-actuator MAVEN version =3.4.0, =0.5.0, =0.8.0, =0.0.1, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.1.2 and more Source cves: CVE-2026-22733 Source advisory: OSV:GHSA-MGVC-8Q2H-5PGC...

ai.foremast.metrics:foremast-spring-boot-15x-starter (>=0.1.8 <=0.1.12), ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7) +7648 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-starter-actuator (>=1.0.0.RELEASE <=2.7.18)

org.springframework.boot:spring-boot-starter-actuator MAVEN version =1.0.0.RELEASE, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =j8.2.2.0, =j8.2.2.0, =j8.2.2.0, =j8.2.2.0, =j8.2.2.0, =j11.2.6.2 and more Source cves: CVE-2026-22733 Source advisory:...

Spring Boot has an Authentication Bypass under Actuator Health groups paths

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +1033 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-starter-actuator (>=3.4.0 <=3.4.13)

org.springframework.boot:spring-boot-starter-actuator MAVEN version =3.4.0, =0.5.0, =0.8.0, =0.0.1, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.1.2 and more Source cves: CVE-2026-22731 Source advisory: OSV:GHSA-8HFC-FQ58-R658...

GHSA-MGVC-8Q2H-5PGC Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

GHSA-8HFC-FQ58-R658 Spring Boot has an Authentication Bypass under Actuator Health groups paths

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +679 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-starter-actuator (>=4.0.0-M1 <=4.0.3)

org.springframework.boot:spring-boot-starter-actuator MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.2.1 and more Source cves: CVE-2026-22733 Source advisory: OSV:GHSA-MGVC-8Q2H-5PGC...