Full Report
Spring security advisory (AV26-373)
Analysis Summary
# Vulnerability: Spring Framework and Ecosystem Multiple Vulnerabilities (AV26-373)
## CVE Details
*Note: This security bulletin refers to a collection of advisories released between April 9 and 21, 2026. Specific CVE IDs are tied to the individual product updates below.*
- **CVE ID:** Multiple (Refer to Spring Security Advisory page)
- **CVSS Score:** Variable (Typically ranges from Medium to High for these components)
- **CWE:** Often includes CWE-601 (Open Redirect), CWE-863 (Incorrect Authorization), and CWE-502 (Deserialization) in these product suites.
## Affected Systems
- **Products:**
- Spring Cloud Gateway
- Spring Security
- Spring Authorization Server
- Spring Framework
- **Versions:**
- **Spring Cloud Gateway:** 4.2.0
- **Spring Security:** 5.7.0 to 5.7.22, 5.8.0 to 5.8.24, 6.3.0 to 6.3.15, 6.4.0 to 6.4.15, 6.5.0 to 6.5.9, and 7.0.0 to 7.0.4
- **Spring Authorization Server:** 1.3.0 to 1.3.10, 1.4.0 to 1.4.9, and 1.5.0 to 1.5.6
- **Spring Framework:** 5.3.0 to 5.3.47, 6.1.0 to 6.1.26, 6.2.0 to 6.2.17, and 7.0.0 to 7.0.6
- **Configurations:** Generally affects standard deployments of the MVC and WebFlux stacks using these dependencies.
## Vulnerability Description
While the bulletin (AV26-373) serves as a roll-up notification, vulnerabilities in these Spring components typically involve:
- **Authorization Bypass:** Flaws in security filter chains or pattern matching that allow unauthorized access to protected endpoints.
- **Request Smuggling/Manipulation:** Vulnerabilities in how Cloud Gateway or Framework handles HTTP headers or path routing.
- **Open Redirects:** Improper validation of redirect URIs in the Authorization Server or Security modules.
## Exploitation
- **Status:** PoC availability varies by individual CVE; typically, Spring Framework vulnerabilities see rapid PoC development following disclosure.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** Moderate to High (Potential data exposure via authorization bypass).
- **Integrity:** Moderate to High.
- **Availability:** Moderate (Potential Denial of Service in specific routing scenarios).
## Remediation
### Patches
Users should upgrade to the following versions (or higher) as per the April 2026 advisory:
- **Spring Cloud Gateway:** 4.2.1+
- **Spring Security:** 5.7.23+, 5.8.25+, 6.3.16+, 6.4.16+, 6.5.10+, 7.0.5+
- **Spring Authorization Server:** 1.3.11+, 1.4.10+, 1.5.7+
- **Spring Framework:** 5.3.48+, 6.1.27+, 6.2.18+, 7.0.7+
### Workarounds
- Ensure strict input validation for all user-supplied URL parameters.
- Implement robust monitoring on authentication and gateway routing logs.
- Audit `SecurityFilterChain` configurations for overly permissive patterns (e.g., `anyRequest().permitAll()`).
## Detection
- **Indicators of Compromise:** Unusual 403-to-200 status code transitions in access logs; unexpected redirect headers in outbound traffic.
- **Detection methods and tools:** Use Dependency-Check or Snyk to scan project BOM (Bill of Materials) for vulnerable versions.
## References
- **Vendor advisories:** hxxps[://]spring[.]io/security
- **Official Bulletin:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/spring-security-advisory-av26-373