Spring Security releases three versions with fixes for seven critical CVEs.
- •CVE-2026-22746: User attribute enumeration vulnerability in DaoAuthenticationProvider.
- •CVE-2026-22747: Unauthorized user impersonation with X.509 client certificates.
- •CVE-2026-22748, 22753, 22754: Path matching and security misconfiguration issues in HttpSecurity and XML authorization rules.
- •CVE-2026-22752: Insufficient validation in Dynamic Client Registration endpoints.
- •CVE-2026-22751: Token reuse vulnerability allowing one-time tokens to authenticate multiple sessions.
This summary was automatically generated by AI based on the original article and may not be fully accurate.
Spring
The Hacker News