MEDIUM | APRIL 23, 2026 | CVE-2026-40977
Description When an application is configured to use ApplicationPidFileWriter, a local attacker
with write access to the PID file's location can corrupt one file on the host each time
the application is started. Affected Spring Products and Versions Spring…
MEDIUM | APRIL 21, 2026 | CVE-2026-22751
Description Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.
An attacker with a valid one-time token can send concurrent requests to the…
CRITICAL | APRIL 21, 2026 | CVE-2026-22752
Description Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a…
LOW | APRIL 20, 2026 | CVE-2026-22746
Description If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled…
MEDIUM | APRIL 20, 2026 | CVE-2026-22748
Description When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This is easy to miss when using NimbusJwtDecoder…
MEDIUM | APRIL 20, 2026 | CVE-2026-22747
Description SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating…
HIGH | APRIL 20, 2026 | CVE-2026-22753
Description If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the…
HIGH | APRIL 20, 2026 | CVE-2026-22754
Description If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised…
MEDIUM | APRIL 17, 2026 | CVE-2026-22740
Description A WebFlux server application that processes multipart requests creates temp files for parts
larger than 10 K. Under some circumstances, temp files may remain not deleted after the
request is fully processed. This allows an attacker to consume…
LOW | APRIL 17, 2026 | CVE-2026-22741
Description Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: the application is using Spring MVC or Spring WebFlux the…
