{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22732", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.498Z", "datePublished": "2026-03-19T22:47:38.199Z", "dateUpdated": "2026-04-02T07:20:58.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-02T07:20:58.779Z"}, "title": "Under Some Conditions Spring Security HTTP Headers Are not Written", "affected": [{"vendor": "VMware", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0", "lessThanOrEqual": "5.7.21", "versionType": "custom"}, {"status": "affected", "version": "5.8.0", "lessThanOrEqual": "5.8.23", "versionType": "custom"}, {"status": "affected", "version": "6.3.0", "lessThanOrEqual": "6.3.14", "versionType": "custom"}, {"status": "affected", "version": "6.4.0", "lessThanOrEqual": "6.4.14", "versionType": "custom"}, {"status": "affected", "version": "6.5.0", "lessThanOrEqual": "6.5.8", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.3", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.\u00a0\nThis issue affects Spring Security\u00a0Servlet applications using lazy (default) writing of HTTP Headers:\n\n: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.&nbsp;<br><p>This issue affects <span>Spring Security</span><span>&nbsp;</span><b>Servlet applications using lazy (default) writing of HTTP Headers:</b></p><p>: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22732"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-425", "lang": "en", "description": "CWE-425 Direct Request ('Forced Browsing')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-22732"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T04:01:50.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T15:01:06.718510Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-425", "description": "CWE-425 Direct Request ('Forced Browsing')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:01:01.327Z"}}], "cna": {"title": "Under Some Conditions Spring Security HTTP Headers Are not Written", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VMware", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0", "versionType": "custom", "lessThanOrEqual": "5.7.21"}, {"status": "affected", "version": "5.8.0", "versionType": "custom", "lessThanOrEqual": "5.8.23"}, {"status": "affected", "version": "6.3.0", "versionType": "custom", "lessThanOrEqual": "6.3.14"}, {"status": "affected", "version": "6.4.0", "versionType": "custom", "lessThanOrEqual": "6.4.14"}, {"status": "affected", "version": "6.5.0", "versionType": "custom", "lessThanOrEqual": "6.5.8"}, {"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.3"}], "defaultStatus": "affected"}], "references": [{"url": "https://spring.io/security/cve-2026-22732"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.\u00a0\nThis issue affects Spring Security\u00a0Servlet applications using lazy (default) writing of HTTP Headers:\n\n: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.", "supportingMedia": [{"type": "text/html", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.&nbsp;<br><p>This issue affects <span>Spring Security</span><span>&nbsp;</span><b>Servlet applications using lazy (default) writing of HTTP Headers:</b></p><p>: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-02T07:20:58.779Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22732", "state": "PUBLISHED", "dateUpdated": "2026-04-02T07:20:58.779Z", "dateReserved": "2026-01-09T06:54:41.498Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-19T22:47:38.199Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.\u00a0\nThis issue affects Spring Security\u00a0Servlet applications using lazy (default) writing of HTTP Headers:\n\n: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3."}, {"lang": "es", "value": "Cuando las aplicaciones especifican encabezados de respuesta HTTP para aplicaciones servlet que utilizan Spring Security, existe la posibilidad de que los encabezados HTTP no se escriban. Este problema afecta a Spring Security: desde 5.7.0 hasta 5.7.21, desde 5.8.0 hasta 5.8.23, desde 6.3.0 hasta 6.3.14, desde 6.4.0 hasta 6.4.14, desde 6.5.0 hasta 6.5.8, desde 7.0.0 hasta 7.0.3."}], "id": "CVE-2026-22732", "lastModified": "2026-04-02T08:16:28.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.253", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22732"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers", "id": "2449306", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449306"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-166", "details": ["A flaw was found in Spring Security. When applications using Spring Security specify HTTP response headers for servlet applications, these headers may not be written. This can lead to a bypass of security policies or information disclosure, potentially allowing an attacker to gain unauthorized access to sensitive data or compromise the integrity of the application."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-22732", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "org.apache.servicemix.bundles.spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-03-19T22:47:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22732\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22732\nhttps://spring.io/security/cve-2026-22732"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.7.0,5.7.21]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.8.0,5.8.23]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.3.0,6.3.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.4.0,6.4.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.5.0,6.5.8]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-21T07:32:35.510810+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to a patched version (e.g., 5.7.22 or later, 5.8.24 or later, 6.3.15 or later, 6.4.15 or later, 6.5.9 or later, or 7.0.4 or later).", "Verify that all expected security headers are present in HTTP responses after the upgrade.", "If an immediate upgrade is not possible, add a custom filter or configuration change to explicitly set the missing security headers for all responses."], "summary": {"action": "Patch Immediately", "impact": "Missing Security Headers"}, "threat_synthesis": {"affected_systems": "Spring Security versions from 5.7.0 through 5.7.21, 5.8.0 through 5.8.23, 6.3.0 through 6.3.14, 6.4.0 through 6.4.14, 6.5.0 through 6.5.8, and 7.0.0 through 7.0.3 are affected. All applications that rely on default header handling in these releases may be vulnerable.", "description_and_impact": "The vulnerability causes Spring Security to omit configured HTTP response headers under certain conditions. When this occurs critical security headers such as X-Content-Type-Options or X-Frame-Options may be absent, weakening defenses against cross\u2011site scripting, clickjacking, and other content\u2011related attacks. The weakness is classified as CWE\u2011166 and CWE\u2011425.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high severity impact. The EPSS score is below 1% and the issue is not listed in CISA\u2019s KEV catalog, suggesting limited current exploitation data. The likely attack vector is inferred as a remote attacker sending crafted HTTP requests that trigger the header omission, potentially allowing downstream exploitation such as clickjacking or cross\u2011site scripting if the application otherwise depended on those headers for security."}}}}, "created": "2026-03-20T08:54:36.471406+00:00", "updated": "2026-03-25T11:54:17.429842+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"]}