logo

Database

Insecure digital certificates In org.springframework.security:spring-security-web

Description

Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-227472. NVD-2026-227473. OSV-2026-227474. GCVE-2026-22747

References

1. https://github.com/spring-projects/spring-security/commit/88118afb8f9357ae7cc215500a441e89fee701c32. https://spring.io/security/cve-2026-22747

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.