17 matches found
CVE-2026-40976
A flaw was found in Spring Boot. Under specific conditions, including being a servlet-based web application without custom Spring Security configuration and relying on the default web security filter chain, a remote attacker could bypass security. This allows unauthorized access to all applicatio...
CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
EUVD-2026-25940
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
CVE-2026-40976
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...
CVE-2026-40976
CVE-2026-40976 affects Spring Boot 4.0.0–4.0.5. In vulnerable configurations, a servlet-based web application that relies on Spring Boot’s default web security (no custom Spring Security config), depends on spring-boot-actuator-autoconfigure, and does not rely on spring-boot-health can experience...
PT-2026-35548
Name of the Vulnerable Software and Affected Versions Spring Boot versions 4.0.0 through 4.0.5 Description Default web security in certain configurations is ineffective, allowing unauthorized and unauthenticated access to all endpoints. This occurs when a servlet-based web application relies on t...
ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +2186 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=3.4.0 <=3.5.11)
org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =3.4.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.24, =1.0.27, =1.0.0, =1.0.0, =0.0.1, =0.1.0, =0.8.2 - cc.zzzyu.nacos:nacos-ai =3.1.1 and more Source cves: CVE-2026-22731 Source advisory:...
ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +719 more potentially affected by CVE-2026-22731 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=4.0.0-M1 <=4.0.3)
org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.3.0 and more Source cves: CVE-2026-22731 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending reques...
ai.platon.pulsar:pulsar-e2e-tests (>=4.5.0 <=4.6.0), ai.platon.pulsar:pulsar-it-tests (>=4.5.0 <=4.6.0) +719 more potentially affected by CVE-2026-22733 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=4.0.0-M1 <=4.0.3)
org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =4.0.0-M1, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.5.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =3.1.0, =3.3.0 and more Source cves: CVE-2026-22733 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-15701...
ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +1613 more potentially affected by CVE-2025-22235 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=3.4.0 <=3.4.4)
org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =3.4.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.24, =1.0.27, =1.0.0, =1.0.0, =0.0.1, =0.1.0, =1.10.0, =1.14.0 and more Source cves: CVE-2025-22235 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-9804539...
spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. This issue occurs when an application is deployed to Cloud Foundry, which could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are...
spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. This issue occurs when an application is deployed to Cloud Foundry, which could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are...
Access Restriction Bypass
org.springframework.boot:spring-boot-actuator-autoconfigure is vulnerable to Access Restriction Bypass. The vulnerability is due to improper wild card matching, which allows a remote attacker to bypass access restrictions and gain access to the system. Please note that the vulnerability is only...
cc.zhaoac:faith-core-boot (>=1.0.0 <=1.0.1), cc.zhaoac:faith-core-launch (>=1.0.0 <=1.0.1) +1019 more potentially affected by CVE-2023-20873 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=2.7.0 <=2.7.10)
org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =2.7.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.1.0 - cc.zhaoac:faith-tool-boot =1.1.0 - cc.zhaoac:faith-tool-common =1.1.0 - cc.zhaoac:faith-tool-launch =1.1.0 - cc.zhaoac:faith-tool-log =1.1.0 -...
ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.2 <=0.2.0), ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24) +5083 more potentially affected by CVE-2023-20873 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=2.0.0.RELEASE <=2.5.14)
org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =2.0.0.RELEASE, =0.1.2, =0.5.0, =0.5.21, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.24 and more Source cves: CVE-2023-20873 Source advisory: OSV:GHSA-G5H3-W5...