{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-19T22:36:15Z",
  "bugzilla" : {
    "description" : "Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path",
    "id" : "2449290",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449290"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-305",
  "details" : [ "Spring Boot applications with Actuator can be vulnerable to an \"Authentication Bypass\" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.\nThis issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.\nThis CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.", "A flaw was found in Spring Boot. This vulnerability, an authentication bypass, occurs when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to sensitive application endpoints. This could lead to information disclosure or unauthorized actions." ],
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17668",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18",
    "package" : "spring-boot"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/openvsx-rhel9:1776716842"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/pluginregistry-rhel9:1776717247"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat AMQ Clients",
    "fix_state" : "Affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:amq_clients:2023"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Will not fix",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Will not fix",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Will not fix",
    "package_name" : "spring-boot",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-22731\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22731\nhttps://spring.io/security/cve-2026-22731" ],
  "name" : "CVE-2026-22731",
  "mitigation" : {
    "value" : "To mitigate, ensure that application endpoints requiring authentication are not declared under paths already configured as Health Group additional paths within Spring Boot applications using Actuator. Review and adjust your application's configuration to prevent this overlap. A redeployment of the application is required for changes to take effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}