Incorrect Authorization

Overview org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Incorrect Authorization via the annotation detection mechanism when resolving annotations on methods within type...

GHSA-8V5Q-RHF3-JPHM Spring Security annotation detection mechanism has authorization bypass

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization...

Vulnerabilities fixed in Spring Framework

VMWare has fixed vulnerabilities in the Spring Security framework. The vulnerabilities are in the way the Spring Security framework detects annotations, particularly in type hierarchies that use parameterized supertypes with unlimited generics. This can lead to authorization bypassing when using...

CVE-2025-41248 CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization...

CVE-2025-41248 CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization...

CVE-2025-41248

The connected IBM security bulletins confirm CVE-2025-41248 is a Spring Framework annotation resolution issue affecting methods in type hierarchies with parameterized unbounded generics, potentially bypassing authorization when using EnableMethodSecurity (e.g., @PreAuthorize). Remediation via IBM...

Spring Security 安全漏洞

Spring Security is a Spring open source security framework with authentication and authorization capabilities. A security vulnerability exists in Spring Security that stems from the annotation detection mechanism not being able to correctly resolve annotations for methods in generic superclasses,...

PT-2025-37862

Name of the Vulnerable Software and Affected Versions Spring Framework affected versions not specified Description The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type. This can lead to an...

PT-2025-37861

Name of the Vulnerable Software and Affected Versions Spring Framework affected versions not specified Description The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type. This can lead to an...

Spring Authorization Server moving to Spring Security 7.0

Spring Authorization Server has come a long way since 1.0 was officially released in November 2022. Starting as a project separate from Spring Security, has allowed it to iterate quickly on feature development and ultimately grow a rich feature set for building OAuth2 Authorization Servers. It ha...

Access API Moves to Spring Security Access

Five years ago, Spring Security began the journey of modernizing its authorization API. This has paved the way for a number of exciting features like Authorized POJOs, value masking, and, planned for Spring Security 7, Multi-Factor Authentication. This also deprecated the majority of the Access...

Security Bulletin: EndpointRequest.to() creates a matcher for null/** if the actuator endpoint is disabled or not exposed, which affects IBM watsonx.data

Summary EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used i...

Linux Distros Unpatched Vulnerability : CVE-2022-31690

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certai...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-security-core-6.4.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-security-core-6.4.5.jar Vulnerability Details CVEID:CVE-2025-41232 DESCRIPTION: Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass...

Linux Distros Unpatched Vulnerability : CVE-2018-1199

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3...

Linux Distros Unpatched Vulnerability : CVE-2016-5007

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping...

Linux Distros Unpatched Vulnerability : CVE-2022-22976

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the...

Linux Distros Unpatched Vulnerability : CVE-2022-22978

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on...

This Week in Spring - August 19th, 2025

Hi, Spring fans! Welcome to another extra special installment of This Week in Spring - special because the next installment will be delivered from the floors of the Ventian where the extraordinairily awesome SpringOne 2025 event will take place! So, some poetry: T’was the Week Before SpringOne...

Linux Distros Unpatched Vulnerability : CVE-2022-31692

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types...