Spring Security Advisories

CVE-2018-1260: Remote Code Execution with spring-security-oauth2

CRITICAL | MAY 09, 2018 | CVE-2018-1260


Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

This vulnerability exposes applications that meet all of the following requirements:

  • Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer)
  • Use the default Approval Endpoint

This vulnerability does not expose applications that:

  • Act in the role of an Authorization Server but override the default Approval Endpoint
  • Act in the role of a Resource Server only (e.g. @EnableResourceServer)
  • Act in the role of a Client only (e.g. @EnableOAuthClient)

Affected Spring Products and Versions

  • Spring Security OAuth 2.3 to 2.3.2
  • Spring Security OAuth 2.2 to 2.2.1
  • Spring Security OAuth 2.1 to 2.1.1
  • Spring Security OAuth 2.0 to 2.0.14
  • Older unsupported versions are also affected


Users of affected versions should apply the following mitigation:

  • 2.3.x users should upgrade to 2.3.3
  • 2.2.x users should upgrade to 2.2.2
  • 2.1.x users should upgrade to 2.1.2
  • 2.0.x users should upgrade to 2.0.15
  • Older versions should upgrade to a supported branch

There are no other mitigation steps required.


This issue was identified and responsibly reported by Philippe Arteau from GoSecure.



  • 2018-05-09: Initial vulnerability report published

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all