Spring Boot applications with Actuator can be vulnerable to an Authentication Bypass vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Weakness
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Spring_boot | Vmware | 3.4.0 (including) | 3.4.15 (excluding) |
| Spring_boot | Vmware | 3.5.0 (including) | 3.5.12 (excluding) |
| Spring_boot | Vmware | 4.0.0 (including) | 4.0.4 (excluding) |
| HawtIO HawtIO 4.4.0 | RedHat | spring-boot | * |
| Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14 | RedHat | spring-boot | * |
| Red Hat OpenShift Dev Spaces 3.27 | RedHat | devspaces/openvsx-rhel9:1776716842 | * |
| Red Hat OpenShift Dev Spaces 3.27 | RedHat | devspaces/pluginregistry-rhel9:1776717247 | * |