Bug 2460487 (CVE-2026-22747)

Summary: CVE-2026-22747 Spring Security: Spring Security: User impersonation via malformed X.509 certificate Common Name (CN) values
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrianik, ant, aschwart, asoldano, aszczucz, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, bstansbe, cescoffi, dandread, dhanak, dkreling, dlofthou, drichtar, drosa, fmariani, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jmartisk, jraez, jrokos, kaycoth, lthon, manderse, mnovotny, mosmerov, mposolda, msvehla, nwallace, olubyans, parichar, pberan, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rguimara, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, ssilvert, sthorger, tasato, tcunning, thjenkin, tqvarnst, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Spring Security. This vulnerability allows a remote attacker to impersonate another user. The SubjectX500PrincipalExtractor component incorrectly handles certain malformed X.509 certificate Common Name (CN) values, which can lead to the system reading an incorrect username. By presenting a carefully crafted certificate, an attacker can exploit this to gain unauthorized access.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-22 06:01:28 UTC 
Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.
This issue affects Spring Security: from 7.0.0 through 7.0.4.