Primary

Context

Spring Boot Actuator Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability allowing authentication bypass has been identified in Spring Boot applications that use Actuator. This issue arises when an application endpoint requiring authentication is placed under a specific path that is already assigned to a custom Health Group with an additional path configuration. The vulnerability affects Spring Boot versions 4.0.0 prior to 4.0.3, 3.5.0 prior to 3.5.11, and 3.4.0 prior to 3.4.15.

Impact

Exploitation of this vulnerability allows unauthorized access to endpoints that require authentication, potentially leading to unauthorized actions or information disclosure.

Remediation

Users of affected Spring Boot versions should upgrade to 4.0.4, 3.5.12, or 3.4.15, depending on their current version.

Added: Mar 19, 2026, 11:31 PM

Updated: Mar 19, 2026, 11:31 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.2

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.2

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Boot Actuator Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Spring Boot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating