Introduction
A subtle configuration interaction in Spring Security 7.0 can silently disable your entire security filter chain, leaving protected endpoints wide open to unauthenticated access. CVE-2026-22753, disclosed on April 22, 2026, affects applications that combine securityMatchers(String) with a PathPatternRequestMatcher.Builder bean carrying a servlet path prefix, a pattern that is common in Spring Boot applications using spring.mvc.servlet.path.
The result is not a noisy error or a partial bypass; the security filter chain simply never matches the intended requests, so authentication, authorization, and every other security component configured on that chain are never exercised. With a CVSS 3.1 score of 7.5 (HIGH) and a network accessible, no authentication required attack vector, this is a vulnerability that warrants prompt attention from any team running Spring Security 7.0.x.
Technical Information
Root Cause: Ignored Application Context Bean
The vulnerability lives in HttpSecurityConfiguration, specifically in how it resolves the PathPatternRequestMatcher.Builder used when constructing security matchers.
In Spring Security 7.0.0 through 7.0.4, calling securityMatchers(String) triggered the framework to construct a fresh, default PathPatternRequestMatcher.Builder internally. This new builder had no knowledge of any PathPatternRequestMatcher.Builder bean already published in the application context.
This matters because Spring Boot automatically publishes such a bean when you configure spring.mvc.servlet.path. For example, setting spring.mvc.servlet.path=/api causes Spring Boot to publish a PathPatternRequestMatcher.Builder bean with /api set as the basePath. The intent is that all path matching in the security layer accounts for this prefix.
By ignoring the published bean, the securityMatchers operated against the raw path pattern without the servlet path prefix. A configuration like:
http .securityMatchers("/admin/**")
would attempt to match requests at /admin/** rather than /api/admin/**. Since the actual incoming requests arrive at /api/admin/**, the filter chain never matches, and no security controls are applied.
A Second Subtle Bug: Immutable Builder Misuse
A compounding issue existed in PathPatternRequestMatcherFactoryBean, the factory bean that Spring Boot uses to publish the builder. The basePath() method on the builder follows an immutable style API: it returns a new Builder instance rather than mutating the current one. The original code was:
// Before (broken) this.builder.basePath(this.basePath);
Because the return value was never reassigned, the configured basePath was silently discarded. Even if the framework had looked up the bean from the application context, the bean itself would not have carried the correct servlet path. This one line fix ensures the published factory bean actually retains the intended servlet path:
// After (fixed) this.builder = this.builder.basePath(this.basePath);
Attack Flow
An attacker does not need any special tooling or credentials to exploit this vulnerability. The attack flow is straightforward:
- The target application runs Spring Security 7.0.0 through 7.0.4 and configures
spring.mvc.servlet.pathto a non default value (e.g.,/api). - The application uses
securityMatchers(String)to define which requests should be handled by a particular security filter chain. - Due to the bug, the filter chain fails to match requests arriving at the actual servlet path prefixed URL.
- The attacker sends requests directly to the intended endpoints (e.g.,
GET /api/admin/users). Because the security filter chain does not match these requests, no authentication or authorization checks are performed. - The attacker gains unauthenticated access to resources that were intended to be protected, with the ability to read or modify data depending on the endpoint's functionality.
The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N reflects this: network accessible, low complexity, no privileges required, no user interaction, with high integrity impact.
Patch Information
The Spring Security team addressed CVE-2026-22753 in version 7.0.5, released on April 21, 2026. This is a 7.0.x only vulnerability; Spring Security 6.x and earlier are not affected because the interaction between string based matchers and a published PathPatternRequestMatcher.Builder bean is unique to the 7.0 line.
The fix is spread across two key commits by Josh Cummings, both dated April 15, 2026.
Fix 1: HttpSecurityConfiguration.java
The core fix modifies the createSharedObjects() method to prefer the application context bean over constructing a new default builder.
Previously:
sharedObjects.put(PathPatternRequestMatcher.Builder.class, constructRequestMatcherBuilder(this.context));
Changed to:
sharedObjects.put(PathPatternRequestMatcher.Builder.class, this.context.getBeanProvider(PathPatternRequestMatcher.Builder.class) .getIfUnique(() -> constructRequestMatcherBuilder(this.context)));
The new code uses getBeanProvider(...).getIfUnique(...) to look up the PathPatternRequestMatcher.Builder bean from the application context. If a unique bean exists (typically the one Spring Boot publishes with the servlet path already set as the basePath), it is used directly. Only if no such bean is found does it fall back to constructing a new default builder. This is the crucial behavioral change: securityMatchers("/admin/**") will now correctly resolve to /api/admin/** (or whatever the servlet path is) when a builder bean with that basePath is present.
Fix 2: PathPatternRequestMatcherFactoryBean.java
The immutable builder assignment bug was fixed with a single line change:
// Before (broken) this.builder.basePath(this.basePath); // After (fixed) this.builder = this.builder.basePath(this.basePath);
Both fixes are accompanied by comprehensive new test classes in HttpSecuritySecurityMatchersTests and AuthorizeHttpRequestsConfigurerTests that exercise configurations where a PathPatternRequestMatcherBuilderFactoryBean with a /spring base path is registered, verifying that securityMatcher("/path") and securityMatchers("/path") correctly match requests arriving at /spring/path and correctly ignore requests arriving at just /path.
Interim Workaround
If an immediate upgrade is not feasible, the servlet path can be placed directly into the matcher pattern:
http .securityMatchers("/servlet-path/admin/**") //...
Identifying Vulnerable Configurations
Security teams should scan application properties for the spring.mvc.servlet.path configuration. If this property is set to a value such as /api or /mvc, the application may be implicitly using the vulnerable PathPatternRequestMatcher.Builder bean and should be prioritized for remediation.
| Affected Version | Fix Version | Availability |
|---|---|---|
| 7.0.0 through 7.0.4 | 7.0.5 | OSS (open source) |
Affected Systems and Versions
This vulnerability affects Spring Security versions 7.0.0 through 7.0.4 exclusively. Spring Security 6.x and all earlier versions are not affected.
The vulnerable configuration requires both of the following conditions to be true:
- The application uses
securityMatchers(String)to define filter chain matching. - A
PathPatternRequestMatcher.Builderbean is published in the application context with a non defaultbasePath. In Spring Boot applications, this occurs whenspring.mvc.servlet.pathis set to a custom value (e.g.,/api,/mvc).
Applications that do not customize the servlet path, or that use RequestMatcher objects directly instead of string based matchers, are not affected by this specific flaw.
Vendor Security History
The Spring project maintains a responsive security posture, utilizing coordinated release trains to address vulnerabilities. The April 2026 release cycle addressed five distinct CVEs in Spring Security 7.0.x, all fixed in version 7.0.5:
| CVE ID | Severity | Vulnerability Description | Fixed Version |
|---|---|---|---|
| CVE-2026-22752 | CRITICAL | Authorization Server Dynamic Client Registration insufficient validation | 7.0.5 |
| CVE-2026-22753 | HIGH | Servlet Path Not Correctly Included in Path Matching of HttpSecurity | 7.0.5 |
| CVE-2026-22754 | HIGH | Servlet Path Not Correctly Included in Path Matching of XML Authorization Rules | 7.0.5 |
| CVE-2026-22751 | MEDIUM | JdbcOneTimeTokenService allows a one time token to authenticate multiple sessions | 7.0.5 |
| CVE-2026-22747 | MEDIUM | Unauthorized User Impersonation when Using X.509 Client Certificates | 7.0.5 |
The presence of CVE-2026-22754 alongside CVE-2026-22753 indicates a broader pattern of servlet path handling issues in the 7.0 line. Organizations upgrading to 7.0.5 should review all five advisories to understand the full scope of fixes included in this release.
