Fluid Attacks Database

Description

Spring Boot has an Authentication Bypass under Actuator Health groups paths Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.boot:spring-boot-starter-actuator	>=3.4.0 <=3.4.13 \|\| >=3.5.0 <3.5.12 \|\| >=4.0.0-m1 <4.0.4	3.5.12, 4.0.4

Aliases

1. CVE-2026-227312. NVD-2026-227313. OSV-2026-227314. GCVE-2026-22731

References

1. https://spring.io/security/cve-2026-22731

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.