Direct Request ('Forced Browsing') in org.springframework.security:spring-security-web

CVE-2026-22732

org.springframework.security:spring-security-web

High

9.1/10

Summary

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: through 6.5.8, and 7.x through 7.0.3.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-425 - Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References

Advisory
Advisory

Advisory Timeline

Published Mar 19, 2026

Direct Request ('Forced Browsing') in org.springframework.security:spring-security-web

CVE-2026-22732

Summary

CWE-425 - Direct Request ('Forced Browsing')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS