CVE-2026-22753: Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers

April 22, 2026 (updated April 29, 2026)

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests. This issue affects Spring Security: from 7.0.0 through 7.0.4.

References

github.com/advisories/GHSA-4wrg-8wpc-h923
github.com/spring-projects/spring-security
nvd.nist.gov/vuln/detail/CVE-2026-22753
spring.io/security/cve-2026-22753

Code Behaviors & Features

Detect and mitigate CVE-2026-22753 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →