{"api_version":"1","generated_at":"2026-04-19T08:43:53+00:00","cve":"CVE-2026-22732","urls":{"html":"https://cve.report/CVE-2026-22732","api":"https://cve.report/api/cve/CVE-2026-22732.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-22732","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-22732"},"summary":{"title":"Under Some Conditions Spring Security HTTP Headers Are not Written","description":"When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \nThis issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:\n\n: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.","state":"PUBLISHED","assigner":"vmware","published_at":"2026-03-19 23:16:41","updated_at":"2026-04-16 04:29:24"},"problem_types":["CWE-425","CWE-425 CWE-425 Direct Request ('Forced Browsing')"],"metrics":[{"version":"3.1","source":"security@vmware.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://spring.io/security/cve-2026-22732","name":"https://spring.io/security/cve-2026-22732","refsource":"security@vmware.com","tags":["Vendor Advisory","Exploit"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-22732","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22732","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"VMware","product":"Spring Security","version":"affected 5.7.0 5.7.21 custom","platforms":[]},{"source":"CNA","vendor":"VMware","product":"Spring Security","version":"affected 5.8.0 5.8.23 custom","platforms":[]},{"source":"CNA","vendor":"VMware","product":"Spring Security","version":"affected 6.3.0 6.3.14 custom","platforms":[]},{"source":"CNA","vendor":"VMware","product":"Spring Security","version":"affected 6.4.0 6.4.14 custom","platforms":[]},{"source":"CNA","vendor":"VMware","product":"Spring Security","version":"affected 6.5.0 6.5.8 custom","platforms":[]},{"source":"CNA","vendor":"VMware","product":"Spring Security","version":"affected 7.0.0 7.0.3 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"22732","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"vmware","cpe5":"spring_security","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"22732","cve":"CVE-2026-22732","epss":"0.000170000","percentile":"0.041470000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-22732","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-03-20T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-425","description":"CWE-425 Direct Request ('Forced Browsing')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-21T04:01:50.715Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"affected","product":"Spring Security","vendor":"VMware","versions":[{"lessThanOrEqual":"5.7.21","status":"affected","version":"5.7.0","versionType":"custom"},{"lessThanOrEqual":"5.8.23","status":"affected","version":"5.8.0","versionType":"custom"},{"lessThanOrEqual":"6.3.14","status":"affected","version":"6.3.0","versionType":"custom"},{"lessThanOrEqual":"6.4.14","status":"affected","version":"6.4.0","versionType":"custom"},{"lessThanOrEqual":"6.5.8","status":"affected","version":"6.5.0","versionType":"custom"},{"lessThanOrEqual":"7.0.3","status":"affected","version":"7.0.0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.&nbsp;<br><p>This issue affects <span>Spring Security</span><span>&nbsp;</span><b>Servlet applications using lazy (default) writing of HTTP Headers:</b></p><p>: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.</p>"}],"value":"When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \nThis issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:\n\n: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T07:20:58.779Z","orgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","shortName":"vmware"},"references":[{"url":"https://spring.io/security/cve-2026-22732"}],"source":{"discovery":"UNKNOWN"},"title":"Under Some Conditions Spring Security HTTP Headers Are not Written","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","assignerShortName":"vmware","cveId":"CVE-2026-22732","datePublished":"2026-03-19T22:47:38.199Z","dateReserved":"2026-01-09T06:54:41.498Z","dateUpdated":"2026-04-02T07:20:58.779Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-19 23:16:41","lastModifiedDate":"2026-04-16 04:29:24","problem_types":["CWE-425","CWE-425 CWE-425 Direct Request ('Forced Browsing')"],"metrics":{"cvssMetricV31":[{"source":"security@vmware.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*","versionEndExcluding":"5.7.22","matchCriteriaId":"A26C5B8B-290A-4D96-B6CB-DD80AFC1FC69"},{"vulnerable":true,"criteria":"cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.0","versionEndExcluding":"5.8.24","matchCriteriaId":"F2BEA7DD-1479-498E-8920-64CFF6470836"},{"vulnerable":true,"criteria":"cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3.0","versionEndExcluding":"6.3.15","matchCriteriaId":"66AC616D-9661-4913-8278-F1E49CF4F869"},{"vulnerable":true,"criteria":"cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.0","versionEndExcluding":"6.4.15","matchCriteriaId":"979904B0-FAB8-4153-840F-BFCAAC608FA9"},{"vulnerable":true,"criteria":"cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5.0","versionEndExcluding":"6.5.9","matchCriteriaId":"519BA551-813A-4757-82CB-6CED8FF97801"},{"vulnerable":true,"criteria":"cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.4","matchCriteriaId":"B92F3249-AA17-4A34-938C-89E0E2A9A87A"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"22732","Ordinal":"1","Title":"Under Some Conditions Spring Security HTTP Headers Are not Writt","CVE":"CVE-2026-22732","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"22732","Ordinal":"1","NoteData":"When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \nThis issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:\n\n: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.","Type":"Description","Title":"Under Some Conditions Spring Security HTTP Headers Are not Writt"}]}}}