Spring Security HTTP Headers Are not Written Under Some Conditions

GHSA-mf92-479x-3373 · CVE-2026-22732

Published Mar 20, 2026 · Modified Mar 25, 2026

Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.
This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22732
PACKAGE https://github.com/spring-projects/spring-security
WEB https://spring.io/security/cve-2026-22732

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes