Bug 2449290 (CVE-2026-22731)

Summary: CVE-2026-22731 Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abrianik, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, bstansbe, dbruscin, dhanak, dlofthou, drosa, fmariani, ggrzybek, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jrokos, kaycoth, kvanderr, kverlaen, mnovotny, mosmerov, mposolda, msvehla, nwallace, parichar, pberan, pbizzarr, pdelbell, pesilva, pjindal, pmackay, rmartinc, rstancel, rstepani, sausingh, sdawley, smaestri, ssilvert, sthorger, tasato, tcunning, thjenkin, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Spring Boot. This vulnerability, an authentication bypass, occurs when an application endpoint requiring authentication is declared under a specific path already configured for a Health Group additional path. A remote attacker could exploit this to bypass authentication, potentially gaining unauthorized access to sensitive application endpoints. This could lead to information disclosure or unauthorized actions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2449641, 2449642, 2449643    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-19 23:03:01 UTC 
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.