CVE DATABASE / CVE-2026-22732

CVE-2026-22732

CVSS 9.1 · CRITICAL

Summary

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

CVSS 3.1 breakdown

Base score	9.1 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	NONE

Weakness type (CWE)

CWE-425

Affected products

Vmware spring security

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

Our coverage

SCA Tool EOL Dependency CVE Blind Spot Detection: What Snyk and Dependabot Miss

References

https://spring.io/security/cve-2026-22732

Data: NIST NVD. NVD last modified 2026-04-16. Always verify against the vendor advisory before acting.