Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

GHSA-cvc6-q2cp-2xhw · CVE-2026-22748

Published Apr 22, 2026 · Modified May 5, 2026

Description

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22748
PACKAGE https://github.com/spring-projects/spring-security
WEB https://spring.io/security/cve-2026-22748

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes