Introduction
A single line of code that silently discards a return value is all it takes to render Spring Security's XML authorization rules completely inert. CVE-2026-22754, scored at CVSS 7.5, affects Spring Security 7.0.0 through 7.0.4 and allows unauthenticated attackers to bypass endpoint authorization when applications rely on XML sec:intercept-url directives with a servlet-path attribute.
For organizations running Spring Security 7.0.x with XML based security configurations, this vulnerability means that what appears to be a properly secured endpoint may in fact be wide open to any network request.
Technical Information
Root Cause: Immutable Builder Misuse
The vulnerability originates in the PathPatternRequestMatcherFactoryBean class, which is responsible for constructing request matchers when XML based <sec:intercept-url> elements specify a servlet-path attribute. The basePath() method on the internal builder object follows an immutable design pattern: calling it returns a new builder instance configured with the supplied base path, rather than mutating the existing one.
The vulnerable code called this method but discarded the return value:
// BEFORE (vulnerable) — in PathPatternRequestMatcherFactoryBean.java: if (this.basePath != null) { this.builder.basePath(this.basePath); // return value silently discarded! }
Because the newly created builder (with the servlet path correctly set) was never stored, the original this.builder continued to operate without any base path. Every URL pattern evaluated through XML intercept-url rules would therefore omit the configured servlet path, causing the associated authorization constraints to never match incoming requests.
Attack Flow
Consider an application that defines the following XML security rule:
<sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**" />
The intended behavior is for Spring Security to compose the full path (/servlet-path/endpoint/**) when evaluating authorization decisions. However, due to the discarded builder return value, the framework only evaluates against /endpoint/** without the servlet path prefix. The actual request, routed through the servlet at /servlet-path/endpoint/resource, does not match the incomplete pattern, and the authorization rule is never exercised.
An attacker exploiting this flaw would:
- Identify an application using Spring Security 7.0.0 through 7.0.4 with XML based
intercept-urlrules that specify aservlet-pathattribute. - Send unauthenticated HTTP requests directly to the protected endpoints via the servlet path.
- Because the authorization rules never match, the requests pass through without any access control checks.
The vulnerability requires no user interaction, no prior authentication, and presents low attack complexity, all of which contribute to its CVSS 7.5 rating with high integrity impact.
Patch Information
The Spring Security team addressed CVE-2026-22754 with a minimal but impactful one line fix, committed by Josh Cummings (jzheaux) on April 15, 2026, in commit 53bcf0d. The fix shipped in Spring Security 7.0.5 (released April 20, 2026) and is also included in 7.1.0-RC1.
The fix is a single character reassignment that captures the returned builder:
// AFTER (patched): if (this.basePath != null) { this.builder = this.builder.basePath(this.basePath); // reassign! }
By storing the new builder instance back into this.builder, the servlet path is now correctly incorporated into all subsequent request matcher constructions. This ensures that XML rules properly compose the full path (/servlet-path/endpoint/**) when evaluating authorization decisions.
Alongside the production fix, the commit includes 72 new lines of test code in InterceptUrlConfigTests.java, adding coverage for servlet path based authorization across both the legacy AccessDecisionManager and the newer AuthorizationManager code paths. Tests now explicitly assert that requests to the combined servlet path plus endpoint pattern are correctly denied, while requests that do not match the servlet path prefix pass through as expected.
The fix was released as part of a coordinated security release that also addressed six other CVEs (CVE-2026-22746 through CVE-2026-22753). The corresponding Spring Boot hotfix versions are 3.4.15.2 and 3.3.18.2.
Temporary Workaround: For organizations unable to upgrade immediately, the vendor recommends placing the servlet path directly into the URL pattern string rather than using the dedicated servlet-path attribute. This avoids the broken code path entirely.
Affected Systems and Versions
| Component | Affected Versions | Fixed Version | Status |
|---|---|---|---|
| Spring Security | 7.0.0 through 7.0.4 | 7.0.5 | Patched |
| Spring Security | 6.x and earlier | Not applicable | Unaffected |
| Spring Security | 7.1.0-RC1+ | Not applicable | Unaffected |
The vulnerability specifically affects applications that use XML based <sec:intercept-url> directives with the servlet-path attribute. Applications using Java DSL configuration are not affected by this particular CVE (though a related issue, CVE-2026-22753, covers the analogous flaw in HttpSecurity Java DSL configuration).
Spring Boot versions 3.4.15.2 and 3.3.18.2 include the patched Spring Security dependency.
Vendor Security History
The April 21, 2026 coordinated release addressed seven CVEs across Spring Security 7.0.x, indicating a concentrated effort to harden the new major version:
| CVE | Issue Summary | Affected Component |
|---|---|---|
| CVE-2026-22754 | Servlet path excluded in XML rules | XML Configuration |
| CVE-2026-22753 | Servlet path excluded in HttpSecurity | Java DSL |
| CVE-2026-22747 | Unauthorized user impersonation | X.509 Certificates |
| CVE-2026-22746 | User attribute enumeration | DaoAuthenticationProvider |
The presence of CVE-2026-22753 alongside CVE-2026-22754 is notable: the same class of bug (servlet path omission) manifested in both the XML and Java DSL configuration paths, suggesting the immutable builder pattern was consistently misused across multiple integration points in the 7.0.x line.
References
- Spring Security Advisory: CVE-2026-22754
- NVD Entry: CVE-2026-22754
- CVE Record: CVE-2026-22754
- Spring Security 2026.04 Releases Blog Post
- Fix Commit 53bcf0d by jzheaux
- Spring Security 7.0.5 Release Tag
- Spring Security Project Page
- 7 Critical Vulnerabilities Threaten Spring Security 7.0 (SecurityOnline)
