Spring Security Flaw Bypasses Auth, Authorization

The National Vulnerability Database (NVD) has disclosed CVE-2026-22753, a high-severity vulnerability (CVSS 7.5) in Spring Security versions 7.0.0 through 7.0.4. This flaw arises when applications use securityMatchers(String) in conjunction with a PathPatternRequestMatcher.Builder bean to prepend a servlet path. The critical issue is that matching requests to the intended filter chain can fail, effectively rendering crucial security components — like authentication and authorization — inactive for those requests.

This isn’t a minor bypass; it’s a fundamental breakdown of security controls. If an attacker can craft a request that triggers this matching failure, they can potentially access protected resources without proper authentication or authorization. The NVD’s assessment highlights that confidentiality is not impacted, but integrity is severely compromised, as attackers can bypass intended security policies. There’s no user interaction required, and the attack complexity is low, making it an attractive target.

Defenders must prioritize patching. This vulnerability fundamentally undermines the security posture of affected Spring Security applications. It’s not about finding a weak password; it’s about the system failing to check passwords at all for certain paths. This is a critical architectural bypass that demands immediate attention from development and security teams.