Missing Authentication for Critical Function in org.springframework.boot:spring-boot-actuator

CVE-2026-22731

org.springframework.boot:spring-boot-actuator
org.springframework.boot:spring-boot-actuator-autoconfigure

High

8.1/10

Summary

Spring Boot applications with Actuator can be vulnerable to an Authentication Bypass vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot spring-boot-actuator and spring-boot-actuator-autoconfigure versions 4.0 through 4.0.3, 3.5 through 3.5.11 and 3.4 through 3.4.14. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-306 - Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

Advisory Timeline

Published Mar 19, 2026

Missing Authentication for Critical Function in org.springframework.boot:spring-boot-actuator

CVE-2026-22731

Summary

CWE-306 - Missing Authentication for Critical Function

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS