CVE Vulnerabilities

CVE-2026-47838

Improper Authentication

Published: Jun 10, 2026 | Modified: Jun 17, 2026
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.

Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

NameVendorStart VersionEnd Version
Spring_securityVmware*5.7.25 (excluding)
Spring_securityVmware5.8.0 (including)5.8.27 (excluding)
Spring_securityVmware6.3.0 (including)6.3.18 (excluding)
Spring_securityVmware6.4.0 (including)6.4.18 (excluding)
Spring_securityVmware6.5.0 (including)6.5.11 (excluding)

Potential Mitigations

References