CVE-2026-22748: Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

April 22, 2026 (updated April 29, 2026)

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

References

github.com/advisories/GHSA-cvc6-q2cp-2xhw
github.com/spring-projects/spring-security
nvd.nist.gov/vuln/detail/CVE-2026-22748
spring.io/security/cve-2026-22748

Code Behaviors & Features

Detect and mitigate CVE-2026-22748 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →