org.springframework.security:spring-security-core (maven) security advisories

MEDIUM 4.8

Maven

CVE-2026-22751

Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured

Apr 21, 2026

LOW 3.7

Maven

CVE-2026-22746

Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Apr 22, 2026

HIGH 7.5

Maven

CVE-2025-41248

Spring Security annotation detection mechanism has authorization bypass

Sep 16, 2025

MEDIUM 5.3

Maven

CVE-2025-22223

Spring Security Vulnerable to Authorization Bypass via Security Annotations

Mar 24, 2025

MEDIUM 4.8

Maven

CVE-2024-38827

Spring Framework has Authorization Bypass for Case Sensitive Comparisons

Dec 2, 2024

HIGH 8.2

Maven

CVE-2024-22257

Erroneous authentication pass in Spring Security

Mar 18, 2024

MEDIUM 5.3

Maven

CVE-2025-22234

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

Jan 22, 2026

CRITICAL 9.1

Maven

CVE-2025-41232

Spring Security authorization bypass for method security annotations on private methods

May 21, 2025

MEDIUM 6.5

Maven

CVE-2024-38810

Spring Security Missing Authorization vulnerability

Aug 20, 2024

HIGH 7.4

Maven

CVE-2024-22234

Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

Feb 20, 2024

UNKNOWN

Maven

CVE-2011-2731

Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

May 17, 2022

UNKNOWN

Maven

CVE-2012-5055

Exposure of Sensitive Information to an Unauthorized Actor in Spring Security

May 17, 2022

UNKNOWN

Maven

CVE-2011-2732

Improper Control of Generation of Code in Spring Security

May 17, 2022

UNKNOWN

Maven

CVE-2010-3700

Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security

May 14, 2022

UNKNOWN

Maven

CVE-2011-2894

Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data

May 14, 2022

HIGH 7.5

Maven

CVE-2016-5007

Spring Security and Spring Framework may not recognize certain paths that should be protected

Oct 17, 2018

HIGH 7.5

Maven

CVE-2016-9879

Security Constraint Bypass in Spring Security

Sep 15, 2020

CRITICAL 9.8

Maven

CVE-2022-22978

Authorization bypass in Spring Security

May 20, 2022

MEDIUM 5.3

Maven

CVE-2022-22976

Integer overflow in BCrypt class in Spring Security

May 20, 2022

CRITICAL 9.8

Maven

CVE-2014-3527

Authorization Bypass in Spring Security

Sep 15, 2020

MEDIUM 5.3

Maven

CVE-2018-1199

Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core

Oct 17, 2018

HIGH 7.4

Maven

CVE-2018-15801

Spring Security vulnerable to Authorization Bypass

Dec 20, 2018

HIGH 8.1

Maven

CVE-2017-4995

Deserialization of Untrusted Data in Spring Security

May 13, 2022

CRITICAL 9.8

Maven

CVE-2022-31692

Spring Security authorization rules can be bypassed via forward or include dispatcher types

Nov 1, 2022

MEDIUM 6.3

Maven

CVE-2023-20862

Spring Security logout not clearing security context

Apr 19, 2023

HIGH 7.5

Maven

CVE-2021-22119

Resource Exhaustion in Spring Security

Jul 2, 2021

MEDIUM 6.5

Maven

CVE-2020-5408

Insufficient Entropy in Spring Security

Jun 15, 2020

HIGH 8.8

Maven

CVE-2020-5407

Signature wrapping vulnerability in Spring Security

Jun 5, 2020

MEDIUM 5.3

Maven

CVE-2019-3795

Spring Security uses insufficiently random values

Apr 16, 2019

HIGH 7.3

Maven

CVE-2019-11272

Insufficiently Protected Credentials and Improper Authentication in Spring Security

Jun 27, 2019

HIGH 7.3

Maven

CVE-2014-0097

Improper Authentication in Spring Security

May 13, 2022

org.springframework.security:spring-security-core

Vulnerabilities

Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured

Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Spring Security annotation detection mechanism has authorization bypass

Spring Security Vulnerable to Authorization Bypass via Security Annotations

Spring Framework has Authorization Bypass for Case Sensitive Comparisons

Erroneous authentication pass in Spring Security

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

Spring Security authorization bypass for method security annotations on private methods

Spring Security Missing Authorization vulnerability

Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Exposure of Sensitive Information to an Unauthorized Actor in Spring Security

Improper Control of Generation of Code in Spring Security

Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security

Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data

Spring Security and Spring Framework may not recognize certain paths that should be protected

Security Constraint Bypass in Spring Security

Authorization bypass in Spring Security

Integer overflow in BCrypt class in Spring Security

Authorization Bypass in Spring Security

Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core

Spring Security vulnerable to Authorization Bypass

Deserialization of Untrusted Data in Spring Security

Spring Security authorization rules can be bypassed via forward or include dispatcher types

Spring Security logout not clearing security context

Resource Exhaustion in Spring Security

Insufficient Entropy in Spring Security

Signature wrapping vulnerability in Spring Security

Spring Security uses insufficiently random values

Insufficiently Protected Credentials and Improper Authentication in Spring Security

Improper Authentication in Spring Security

Start Securing