Description

This CVE is a continuation of CVE-2026-22747, which addressed this same issue for Spring Security 7.0.x.

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.

Environmental Considerations

This component sits behind Spring Security's pre-authentication flow, which assumes the presented credentials have already been validated by a trusted upstream. Exploiting this issue therefore presupposes a compromise of that upstream trust. So while we recommend upgrading, this fix is better understood as defense-in-depth than as closing a standalone attack path.

Affected Spring Products and Versions

Spring Security:

• 5.7.0 - 5.7.24
• 5.8.0 - 5.8.26
• 6.3.0 - 6.3.17
• 6.4.0 - 6.4.17
• 6.5.0 - 6.5.10
• Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

SubjectDnX509PrincipalExtractor is deprecated by this CVE and replaced with SubjectX500PrincipalExtractor. As part of updating, you should also migrate to SubjectX500PrincipalExtractor.

Credit

The issue was identified and responsibly reported by Nikita Markevich.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1

History

• 2026-04-20: Initial vulnerability report published.