Homepage

Authentication Bypass Using an Alternate Path or Channel Affecting org.springframework.boot:spring-boot-actuator-autoconfigure package, versions [3.4.0,3.5.12)[4.0.0-M1,4.0.4)

Severity

 Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-15701839
  • published20 Mar 2026
  • disclosed20 Mar 2026
  • creditGyu-hyeok Lee (g2h)
Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2026

CVE-2026-22731  (opens in a new tab)
CWE-288  (opens in a new tab)

How to fix?

Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 3.5.12, 4.0.4 or higher.

Overview

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending requests to these specific paths.

Note:

This is only exploitable if all of the following conditions are met:

  • the application declares a custom health group (here "mygroup"), with management.endpoint.health.group.mygroup.include

  • this health group is exposed under an additional path on the main server, like management.endpoint.health.group.mygroup.additional-path=server:/healthz

  • the application contributes an application endpoint that requires authentication under a subpath, like "/healthz/admin"

Mapping application endpoints under infrastructure endpoints like Actuators is not recommended by the Spring team and doing so is likely to interfere with other configurations and cause behavior problems. This setup is expected to rarely occur in production.

CVSS Base Scores

version 4.0
version 3.1