惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
S
Schneier on Security
aimingoo的专栏
aimingoo的专栏
T
Troy Hunt's Blog
U
Unit 42
Hacker News - Newest:
Hacker News - Newest: "LLM"
V2EX - 技术
V2EX - 技术
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
H
Heimdal Security Blog
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Cloudbric
Cloudbric
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
The Cloudflare Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
N
News and Events Feed by Topic
Security Archives - TechRepublic
Security Archives - TechRepublic
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
F
Full Disclosure
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
T
Threatpost
Spread Privacy
Spread Privacy
小众软件
小众软件
AWS News Blog
AWS News Blog
S
Secure Thoughts
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks

Spring Security Advisories

CVE-2026-47835: Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores CVE-2026-41862: Kryo deserialization of persisted context without class allowlist CVE-2026-41708: Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations CVE-2026-40985: Data Binding Vulnerability in Spring Web Flow with Unified EL Parser CVE-2026-40986: Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization CVE-2026-40994: Wss4jSecurityInterceptor disables WS-I BSP validation by default CVE-2026-40995: X.509 authentication bypasses Spring Security account checks CVE-2026-40997: SOAP security faults leak Spring Security account state CVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource CVE-2026-40999: Spring WS SSRF via unvalidated WS-Addressing reply destinations CVE-2026-41000: WSS4J validation does not use configured replay cache CVE-2026-40996: Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default CVE-2026-40992: Mail Auto-Configuration Does Not Enable SSL Hostname Verification CVE-2026-41001: Predictable Temp Directory in Artemis Auto-configuration CVE-2026-41699: Unsafe Deserialization in Spring GraphQL CVE-2026-41700: Cross-Site WebSocket Hijacking in Spring for GraphQL CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability CVE-2026-41695: Denial of Service in Spring Data Commons Property Path Resolution CVE-2026-41696: Spring Data MongoDB Bind Parameter Literal Quoting Breakout CVE-2026-41697: Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern CVE-2026-41711: Potential Denial of Service through crafted Sort Parameters CVE-2026-41716: Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names CVE-2026-41717: Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding CVE-2026-41719: Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator CVE-2026-40991: XML External Entity (XXE) injection when documenting untrusted XML content CVE-2026-41721: Spring Data Commons Denial of Service via Data Binding CVE-2026-41728: Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections CVE-2026-40993: Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry CVE-2026-40988: Unbounded DEFLATE Inflation in SAML 2.0 Service Provider CVE-2026-41003: Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting CVE-2026-41008: Spring Security Authorization Server Open Redirect via request_uri CVE-2026-41694: SAML Payloads Decrypted Without Valid Signature CVE-2026-41706: Open Redirect When Using CookieRequestCache CVE-2026-41714: In Spring AMQP the `RabbitConnectionFactoryBean.setUri("amqps://...")` bypasses secure SSL setup, uses `TrustEverythingTrustManager` CVE-2026-41701: In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues CVE-2026-41726: In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header CVE-2026-41729: Spring Data REST SpEL Injection via Map Key in JSON Patch CVE-2026-41730: Spring Data REST exposes persistence-layer internals in error responses CVE-2026-41727: In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization CVE-2026-41732: In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization CVE-2026-41837: Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys CVE-2026-47838: Unauthorized User Impersonation when Using X.509 Client Certificates CVE-2026-40983: Micrometer gRPC server instrumentation DoS vulnerability CVE-2026-41715: Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect CVE-2026-40984: Micrometer HTTP server instrumentations DoS vulnerability CVE-2026-41007: Spring HATEOAS heap exhaustion through unbounded internal caching CVE-2026-41006: Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration CVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP CVE-2026-41838: Spring Framework Predictable Session ID in WebSocket Module CVE-2026-41839: Spring Framework Escalation via Session Fixation in WebFlux CVE-2026-41710: Cache Exhaustion in Stateful Retries leads to Denial of Service CVE-2026-41840: Spring Framework Denial of Service via Multipart Requests in WebFlux CVE-2026-41863: LLM-influenced filename used unsanitized in Path.resolve before file write in Spring AI support for Anthropic Skills API CVE-2026-40989: Self Routing guard bypassed via function composition CVE-2026-40990: Unbounded cache for function definitions CVE-2026-41705: Expression injection in MilvusVectorStore doDelete allows data destruction CVE-2026-41712: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage CVE-2026-41713: Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor CVE-2026-41002: Spring Cloud Config Server Susceptible To TOCTOU Attack CVE-2026-40982: Directory Traversal with spring-cloud-config-server CVE-2026-40981: Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager CVE-2026-41004: Spring Cloud Config Server Logged Sensitive Information CVE-2026-40968 - Medium - CVE-2026-40968: Spring gRPC SecurityContext leaks across requests on authorization failure CVE-2026-40969 - Low - CVE-2026-40969: Spring gRPC AuthenticationException message reflected to remote client CVE-2026-40966 - Moderate - CVE-2026-40966: VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration CVE-2026-40967 - High - CVE-2026-40967: VectorStore FilterExpression Converter injection CVE-2026-40978 - High - CVE-2026-40978: SQL Injection in CosmosDBVectorStore.doDelete() CVE-2026-40979 - Moderate - CVE-2026-40979: ONNX model cache defaults to world-writable predictable /tmp directory CVE-2026-40980 - Moderate - CVE-2026-40980: OOM by attacker-controlled PDF CVE-2026-40970 - Medium - CVE-2026-40970: Elasticsearch auto-configuration with an SSL bundle disables TLS hostname verification CVE-2026-40971 - Medium - CVE-2026-40971: RabbitMQ auto-configuration with an SSL bundle disables TLS hostname verification CVE-2026-40972 - High - CVE-2026-40972: DevTools remote secret comparison is vulnerable to timing attacks CVE-2026-40973 - High - CVE-2026-40973: Predictable temp directory accepted without ownership verification CVE-2026-40974 - Medium - CVE-2026-40974: Cassandra SSL auto-configuration disables TLS hostname verification CVE-2026-40975 - Medium - CVE-2026-40975: Random value property source uses a weak PRNG unsuitable for secrets CVE-2026-40977 - Medium - CVE-2026-40977: PID file write follows symlinks at predictable default path CVE-2026-40976 - Critical - CVE-2026-40976: Default security filter chain has no authorization rule with Actuator but without Health CVE-2026-22751: Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions CVE-2026-22752: Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata CVE-2026-22746: User Attribute Enumeration when Using DaoAuthenticationProvider CVE-2026-22753: Servlet Path Not Correctly Included in Path Matching of HttpSecurity#securityMatchers CVE-2026-22754: Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules CVE-2026-22747: Unauthorized User Impersonation when Using X.509 Client Certificates CVE-2026-22740: Spring Framework DoS with Multipart Temp Files in WebFlux CVE-2026-22741: Static resource cache poisoning in Spring MVC and WebFlux CVE-2026-22745 : Denial of service in static resource handling on Windows platforms CVE-2026-22750: SSL bundle configuration silently bypassed in Spring Cloud Gateway CVE-2026-22738: SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution CVE-2026-22744: RediSearch Query via Unescaped TAG Filter Values in RedisVectorStore CVE-2026-22743: Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore CVE-2026-22742: Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching CVE-2026-22739: Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks CVE-2026-22731: Authentication Bypass under Actuator Health groups paths cve-2026-22732: Under Some Conditions Spring Security HTTP Headers Are not Written CVE-2026-22737: Spring Framework Improper Path Limitation with Script View Templates CVE-2026-22733: Authentication Bypass under Actuator CloudFoundry endpoints CVE-2026-22735: Server Sent Event stream corruption
CVE-2026-22748: Potential Security Misconfiguration when Using withIssuerLocation
Spring · 2026-04-20 · via Spring Security Advisories

Description

When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.

This is easy to miss when using NimbusJwtDecoder#withIssuerLocation or NimbusReactiveJwtDecoder#withIssuerLocation, which may be interpreted as adding issuer validation automatically.

Recent maintenance versions of NimbusJwtDecoder#withIssuerLocation and NimbusReactiveJwtDecoder#withIssuerLocation now add issuer validation by default.

Affected Spring Products and Versions

Spring Security:

  • 6.3.0 - 6.3.14
  • 6.4.0 - 6.4.14
  • 6.5.0 - 6.5.9
  • 7.0.0 - 7.0.4
  • Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
6.3.x 6.3.15 Enterprise Support Only
6.4.x 6.4.15 Enterprise Support Only
6.5.x 6.5.10 OSS
7.0.x 7.0.5 OSS

Note that if this upgrade causes you trouble due to unwanted issuer validation, you can change it to the earlier default in the following way:

@Bean
JwtDecoder jwtDecoder() {
    String issuer = "https://issuer.example.org";
    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer)
        // ... other configurations
        .build();
    jwtDecoder.setOAuth2TokenValidator(JwtValidators.createDefaults()); // set to the non-issuer default validator
    return jwtDecoder;
}

Credit

The issue was identified and responsibly reported by Daniel Seiler.

References

History

  • 2026-04-20: Initial vulnerability report published.