Primary

Context

Spring Boot Actuator Authentication Bypass Vulnerability in CloudFoundry Endpoints

Vulnerability

Patched

An authentication bypass vulnerability has been identified in Spring Boot applications that use Actuator, specifically when an application endpoint requiring authentication is placed under the CloudFoundry Actuator endpoint path. This vulnerability affects Spring Security versions 4.0.0 through 4.0.3, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.17, and 2.7.0 through 2.7.31. Older, unsupported versions are also vulnerable.

Impact

Exploitation of this vulnerability allows for authentication bypass, potentially leading to unauthorized access to protected application endpoints.

Remediation

Users of affected Spring Boot versions should upgrade to 4.0.4, 3.5.12, 3.4.15 (Commercial), 3.3.18 (Commercial), or 2.7.32 (Commercial).

Added: Mar 20, 2026, 12:28 AM

Updated: Mar 20, 2026, 12:28 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.2

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

7.2

remediation

7.7

relevance

4.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Boot Actuator Authentication Bypass Vulnerability in CloudFoundry Endpoints

Vulnerability

Impact

Remediation

Affected Products

Spring Boot

Spring Security

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating