CVE-2022-22978

CVE-2022-22978 involves a bypass in Spring Security’s RegexRequestMatcher where a dot (.) in the regex can bypass authorization on certain servlet containers. Affected are Spring Security versions prior to 5.4.11+, 5.5.7+, 5.6.4+ and older unsupported releases. Connected reports show remediation ...

CVE-2026-22732

CVE-2026-22732 affects Spring Security; multiple non-legacy branches are impacted where HTTP response headers for servlet applications may not be written. Affected versions include 5.7.0–5.7.21, 5.8.0–5.8.23, 6.3.0–6.3.14, 6.4.0–6.4.14, 6.5.0–6.5.8, and 7.0.0–7.0.3. The description indicates a he...

CVE-2019-11272

CVE-2019-11272 affects Spring Security where PlaintextPasswordEncoder can allow login with a password of "null" if an encoded password is null. Affected: Spring Security 4.2.x up to 4.2.12 and older unsupported versions. Root cause: using PlaintextPasswordEncoder with null encoded passwords. Impa...

CVE-2026-22748

CVE-2026-22748 affects Spring Security when JWT decoding uses NimbusJwtDecoder or NimbusReactiveJwtDecoder and an OAuth2TokenValidator is not configured separately (e.g., via setJwtValidator). Impact is that the issue can affect authentication integrity (I) with MEDIUM overall severity (CVSS v3.1...

CVE-2026-22746

The CVE concerns Spring Security vulnerability CVE-2026-22746 where the timing-attack defense in DaoAuthenticationProvider can be bypassed when an application uses the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked to manage user status. Affected versions include Spr...