CVE-2026-22732 — CRITICAL (9.1)

Q: How severe is CVE-2026-22732?

CVE-2026-22732 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-22732?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security.

Vulnerability Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Vmware	Spring Security	< 5.7.22

Related Weaknesses (CWE)

CWE-425

References

https://spring.io/security/cve-2026-22732Vendor AdvisoryExploit

FAQ

What is CVE-2026-22732?

CVE-2026-22732 is a vulnerability with a CVSS score of 9.1 (CRITICAL). When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security ...

How severe is CVE-2026-22732?

CVE-2026-22732 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-22732?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Security.