Primary

Context

Spring Security Path Matching Vulnerability in HttpSecurity Component

Vulnerability

Patched

A vulnerability exists in Spring Security versions 7.0.0 through 7.0.4, specifically when applications use the 'securityMatchers(String)' method along with a 'PathPatternRequestMatcher.Builder' bean to add a servlet path. In such cases, requests may not be matched correctly, causing the associated security components to be bypassed. This can deactivate authentication, authorization, and other security measures on requests that should be protected.

Impact

Exploitation of this vulnerability can lead to the unintended deactivation of authentication, authorization, and other security controls on affected requests.

Remediation

Users can upgrade to Spring Security version 7.0.5 to address this vulnerability. If an upgrade is not possible, the servlet path can be directly included in the matcher pattern.

Added: Apr 22, 2026, 6:19 AM

Updated: Apr 22, 2026, 6:19 AM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

5.6

exploitability

4.7

remediation

7.9

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

5.6

exploitability

4.7

remediation

7.9

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Security Path Matching Vulnerability in HttpSecurity Component

Vulnerability

Impact

Remediation

Affected Products

Spring Security

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating