CVE-2026-22731: Spring Boot has an Authentication Bypass under Actuator Health groups paths

March 20, 2026 (updated April 16, 2026)

Spring Boot applications with Actuator can be vulnerable to an “Authentication Bypass” vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

References

github.com/advisories/GHSA-8hfc-fq58-r658
nvd.nist.gov/vuln/detail/CVE-2026-22731
spring.io/security/cve-2026-22731

Code Behaviors & Features

Detect and mitigate CVE-2026-22731 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →