ROOT-APP-MAVEN-CVE-2026-22748 CVE-2026-22748 in io.root.org.springframework.security:spring-security-oauth2-jose - Patched by Root

Root has patched CVE-2026-22748 in the io.root.org.springframework.security:spring-security-oauth2-jose package for Root:Maven. Multiple fixed versions available...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +302 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-oauth2-jose MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4...

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.4.0.0 <=3.4.0.1), cn.herodotus.engine:oauth2-core (>=3.4.0.0 <=3.4.0.1) +110 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=6.4.0 <=6.4.13)

org.springframework.security:spring-security-oauth2-jose MAVEN version =6.4.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2026-22748 Source advisory:...

ch.admin.bit.jeap:jeap-oauth-mock-server (>=3.1.0 <=3.44.0), ch.admin.bit.jeap:jeap-oauth-mock-server-instance (>=3.1.0 <=3.44.0) +79 more potentially affected by CVE-2026-22752 via org.springframework.security:spring-security-oauth2-authorization-server (>=1.3.0 <=1.5.6)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =1.3.0, =3.1.0, =3.1.0, =1.0.0, =1.0.1, =1.0.0, =3.0.0, =3.5.5.3, =3.5.5.3, =3.3.0.0, =3.5.5.3, =3.5.5.3, =3.5.5.3, =3.3.0.0, =3.3.0.0, =3.5.5.2 and more Source cves: CVE-2026-22752 Source advisory:...

RHEL 7 / 8 : OpenShift Container Platform 4.10.56 (RHSA-2023:1655)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1655 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.2.0.0 <=3.2.2.2), cn.herodotus.engine:oauth2-sdk-authentication (>=3.2.0.0 <=3.2.2.2) +9 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=1.2.0 <=1.2.2)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =1.2.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.0.0, =3.0.0, =2.0.0, =1.5.0, =2.0.0, =1.0.0-beta2, =3.2.0, =3.2.3 Source cves: CVE-2024-22258 Source advisory: OSV:GHSA-X637-X8P3-5P22...

cn.com.tltim.pigx:pigx-common-security (=5.0.0-20240820), cn.com.tltim.pigx:pigx-common-websocket (=5.0.0-20240820) +46 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=0.2.0 <=1.1.5)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =0.2.0, =0.0.1-alpha.1, =3.1.5.2, =2.7.7.3, =2.7.7.4, =2.7.0.0, =2.7.0.0, =2.7.1.2, =2.7.0.0, =3.0.6.4, =2023.0.0.2-alpha.1, =2023.0.0.2-alpha.2 - com.github.paganini2008.doodler:doodler-common-oauth =1.0.0-bet...

Important: Red Hat Security Advisory: Migration Toolkit for Runtimes security bug fix and enhancement update

Migration Toolkit for Runtimes 1.0.2 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Privilege Escalation

Spring Security OAuth2 Client is vulnerable to Privilege Escalation. The vulnerability exists in the getTokenResponse function in multiple files due to the authorization server responding with an OAuth2 access token response containing an empty scope list which allows an attacker to modify reques...

cn.kduck:kduck-security-principal (=1.1.3), com.atlassian.connect:atlassian-connect-spring-boot-core (>=3.0.0 <=3.0.10) +338 more potentially affected by CVE-2022-31690 via org.springframework.security:spring-security-oauth2-client (>=5.7.1 <=5.7.4)

org.springframework.security:spring-security-oauth2-client MAVEN version =5.7.1, =3.0.0, =3.0.0, =4.3.0, =5.1.3, =5.1.3, =5.1.0, =4.2.0, =0.1.33, =1.18.8, =1.18.8, =2.9 - com.graphql-java-generator:graphql-maven-plugin =1.18.8 and more Source cves: CVE-2022-31690https://vulners.com/cve/CVE-2...

Denial Of Service (DoS)

org.springframework.security:spring-security-oauth2-client is vulnerable to denial of service DoS attacks. An attacker is able to cause resource exhaustion via sending multiple requests initiating the authorization request for the authorization code grant using a single session or multiple...

com.atlassian.connect:atlassian-connect-spring-boot-api (>=2.0.2 <=2.0.7), com.atlassian.connect:atlassian-connect-spring-boot-core (>=2.0.2 <=2.0.7) +34 more potentially affected by CVE-2022-22969 via org.springframework.security.oauth:spring-security-oauth2 (>=2.4.0.RELEASE <=2.4.1.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.4.0.RELEASE, =2.0.2, =2.0.2, =2.0.2, =2.0.2, =0.0.5, =0.0.5, =0.0.5, =5.0.0, =5.0.0, =4.59.5, =1.0.10.RELEASE, =1.0.10.RELEASE, =1.0.10.RELEASE, =1.73.8, =1.106.2 and more Source cves: CVE-2022-22969 Source advisory:...

cn.infrabase:infrabase-platform-passport (=0.0.1), cn.itlym:shoulder-starter-auth-server (=0.6) +263 more potentially affected by CVE-2022-22969 via org.springframework.security.oauth:spring-security-oauth2 (>=2.5.0.RELEASE <=2.5.1.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.5.0.RELEASE, =1.1.0, =1.1.0, =1.129.9, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =3.2.1.RELEASE, =5.0.0, =1.4.11, =1.4.11, =1.5.7 and more Source cves: CVE-2022-22969 Source advisory: OSV:GHSA-C2CP-3XJ9-97W9...

com.c4-soft.springaddons:spring-security-test-oauth2-addons (=1.0.0), com.epam.reportportal:service-authorization (=5.0.0) +18 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-oauth2-client (=5.2.0.RELEASE)

org.springframework.security:spring-security-oauth2-client MAVEN version =5.2.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-oauth2-client and may be impacted: -...

Open Redirection

spring-security-oauth2 is vulnerable to open redirection. A remote attacker is able to modify the redirecturi parameter and redirect users to a malicious site to steal confidential information such as authorization code, username and password...

am.ik.home:uaa-client (>=1.0.0 <=1.9.0), am.ik.home:uaa-integration-test (>=1.0.0 <=1.9.0) +537 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=1.0.0.RELEASE <=2.0.16.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =1.0.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =1.0.0, =A.1.1.0, =A.1.1.0, =A.1.1.0, =A.1.1.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1.11 - com.17jee:e-security-token =3.0.1.11 and more Source cves: CVE-2019-3778 Source...

br.com.anteros:Anteros-Security-Spring (>=2.0.0 <=2.0.20), br.com.anteros:Anteros-Security-Spring-Mongo (>=1.0.0 <=1.0.5) +284 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.3.0.RELEASE <=2.3.4.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.3.0.RELEASE, =2.0.0, =1.0.0, =1.0.0, =1.0.6, =1.0.6, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GC...

au.org.consumerdatastandards:client-cli (>=1.1.1 <=2.4.1), fm.pattern:tokamak-authorization (=1.0.1) +17 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.1.0.RELEASE <=2.1.1.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.1.0.RELEASE, =1.1.1, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.9.0, =1.9.0, =1.3.0, =1.3.0, =1.3.4 and more Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GChttps://vulners.c...

br.com.anteros:Anteros-Keycloak (=1.0.0), cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE) +69 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.2.0.RELEASE <=2.2.3.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.2.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =1.0.0, =1.0.0, =3.3.2, =4.0.1 - com.ge.research.semtk:springSecurityLibrary =2.2.2 -...

Open Redirection

spring-security-oauth2 is vulnerable to open redirection. A lack of validation on the redirecturi parameter allows an attacker to manipulate the redirect URI by sending a malicious request to the authorization endpoint using the authorization code grant type and cause the authorization server to...