CVE-2026-22753: Spring Security Filter Chain Bypass
Spring Security has disclosed a high-severity vulnerability tracked as CVE-2026-22753, carrying a CVSS score of 7.5. The flaw affects applications that configure security filter chains using both securityMatchers(String) and a PathPatternRequestMatcher.Builder bean configured to prepend a servlet path. Under this combination, the request-matching logic silently fails — the filter chain does not match incoming requests as intended, meaning the security rules bound to that chain are never applied.
The practical consequence is security enforcement gaps: endpoints intended to be protected by a specific filter chain (authentication checks, authorization rules, CSRF protection, rate limiting, etc.) are not guarded as expected. Affected applications may unknowingly expose protected endpoints without any error or log warning indicating the misconfiguration.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-22753 |
| CVSS Score | 7.5 (High) |
| Affected Component | Spring Security — securityMatchers(String) with PathPatternRequestMatcher.Builder |
| CWE | CWE-284: Improper Access Control |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Disclosure Date | April 22, 2026 |
Technical Analysis
Root Cause
The vulnerability arises from an interaction between two Spring Security configuration mechanisms:
securityMatchers(String)— a method used to define which requests a givenSecurityFilterChainhandles, specified as a URL pattern string.PathPatternRequestMatcher.Builderbean — when registered as a Spring bean and configured with a servlet path prefix, it is intended to makesecurityMatcherspatterns relative to that servlet path.
When both are present, the PathPatternRequestMatcher.Builder servlet path is applied inconsistently during the matching phase. The constructed matcher does not correctly bind the servlet path context to the string patterns supplied via securityMatchers(String), causing the pattern evaluation to fail silently. Requests that should match the filter chain do not match — and since Spring Security falls through to any lower-priority filter chain (or no chain at all), the intended security rules are skipped entirely.
Vulnerable Configuration Pattern
@Bean
public PathPatternRequestMatcher.Builder matcherBuilder() {
return PathPatternRequestMatcher.withDefaults()
.servletPath("/api"); // prepends /api to all matchers
}
@Bean
@Order(1)
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
http
// Intended to match /api/admin/** — but matching silently fails
// when PathPatternRequestMatcher.Builder bean is present
.securityMatchers(matchers -> matchers.requestMatchers("/admin/**"))
.authorizeHttpRequests(auth -> auth.anyRequest().hasRole("ADMIN"))
.httpBasic(Customizer.withDefaults());
return http.build();
}In this pattern, requests to /api/admin/sensitive may bypass the admin-only filter chain entirely, landing in a less-restrictive or permit-all chain.
Attack Flow
1. Application configures PathPatternRequestMatcher.Builder bean
with servlet path prefix (e.g., /api)
2. Application defines a SecurityFilterChain using securityMatchers(String)
with patterns intended to be relative to that servlet path
3. At runtime, the matcher construction fails silently — patterns
do not match the filter chain as the developer expected
4. Incoming HTTP requests to the intended protected endpoints do not
match the intended filter chain
5. Requests fall through to a permissive or default filter chain,
bypassing authentication, authorization, CSRF, or other security controls
6. Attacker accesses protected endpoints without the intended credentials or rolesWhy This Is a Silent Failure
The particularly dangerous aspect of CVE-2026-22753 is that the application continues to function normally — there is no exception, no startup error, and no runtime warning. The security configuration appears valid. Only manual testing of the actual security enforcement, or a security audit, would reveal that the filter chain is not matching as intended.
Affected Configurations
Not all Spring Security deployments are affected. The vulnerability requires both of the following:
| Condition | Details |
|---|---|
PathPatternRequestMatcher.Builder bean registered | With .servletPath(...) configured |
securityMatchers(String) used | Passing URL pattern strings (not RequestMatcher objects) |
Applications that:
- Use
securityMatcherswith explicitRequestMatcherobjects (not strings) - Do not register a
PathPatternRequestMatcher.Builderbean with servlet path - Use the deprecated
AntPathRequestMatcherdirectly
...are not affected by this vulnerability.
Remediation
Option 1: Apply the Spring Security Patch
Upgrade to the patched version of Spring Security as specified in the Spring Security security advisory. The fix ensures that PathPatternRequestMatcher.Builder servlet path context is correctly propagated when securityMatchers(String) patterns are resolved.
<!-- Maven — update spring-security-bom to patched version -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-bom</artifactId>
<version><!-- patched version --></version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>// Gradle
dependencies {
implementation platform('org.springframework.security:spring-security-bom:<!-- patched version -->')
}Option 2: Explicit RequestMatcher Objects
As an immediate workaround, replace string-based securityMatchers(String) patterns with explicit PathPatternRequestMatcher instances that include the full path (including servlet prefix):
@Bean
@Order(1)
public SecurityFilterChain apiFilterChain(
HttpSecurity http,
PathPatternRequestMatcher.Builder matcherBuilder) throws Exception {
http
// Use explicit matcher with full path instead of string pattern
.securityMatchers(matchers -> matchers
.requestMatchers(matcherBuilder.matcher("/admin/**"))) // explicit, not String
.authorizeHttpRequests(auth -> auth.anyRequest().hasRole("ADMIN"))
.httpBasic(Customizer.withDefaults());
return http.build();
}This bypasses the broken string-to-pattern resolution path and uses the PathPatternRequestMatcher.Builder correctly.
Detection and Verification
Test Security Enforcement
Verify that your filter chains are matching as intended by testing access to protected endpoints without credentials:
# Should return 401 Unauthorized — if it returns 200, your chain is not matching
curl -v http://localhost:8080/api/admin/sensitive
# Test with Spring Security test support
@Test
void adminEndpointRequiresAuth() throws Exception {
mockMvc.perform(get("/admin/sensitive"))
.andExpect(status().isUnauthorized());
}Check for Vulnerable Pattern in Code
Search your Spring Security configuration for the combination of both features:
# Search for securityMatchers with String patterns alongside PathPatternRequestMatcher.Builder
grep -r "securityMatchers" src/ --include="*.java" -l
grep -r "PathPatternRequestMatcher.Builder" src/ --include="*.java" -lIf the same configuration class appears in both results, review carefully to determine if the servlet path is being applied correctly.
Review Actuator and Security Audit Logs
Spring Boot Actuator's security reporting and DEBUG-level Spring Security logging can reveal which filter chains are matching which requests:
# Enable Spring Security debug logging
logging.level.org.springframework.security=DEBUGLook for log lines indicating which SecurityFilterChain is selected for a given request — if protected endpoints are matched by an unintended chain, the vulnerability is present.
Key Takeaways
- CVE-2026-22753 is a CVSS 7.5 High flaw in Spring Security's filter chain matching — it silently fails to apply security rules when
securityMatchers(String)is combined withPathPatternRequestMatcher.Builderservlet path configuration - The vulnerability is a silent failure — no exception or warning is raised; the application appears to start normally while silently exposing protected endpoints
- Affected applications may have endpoints intended to require authentication or specific roles that are accessible without any credentials
- Upgrade Spring Security to the patched version immediately; as a workaround, replace string-based
securityMatcherspatterns with explicitPathPatternRequestMatcherinstances - Test your security filter chains with automated tests to verify enforcement — do not rely solely on configuration review