CVE-2026-22747: Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates

April 22, 2026 (updated April 29, 2026)

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

References

github.com/advisories/GHSA-2jrg-rf5x-568g
github.com/spring-projects/spring-security
github.com/spring-projects/spring-security/commit/88118afb8f9357ae7cc215500a441e89fee701c3
nvd.nist.gov/vuln/detail/CVE-2026-22747
spring.io/security/cve-2026-22747

Code Behaviors & Features

Detect and mitigate CVE-2026-22747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →