Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NVMware Spring Security
APPVmware5.6.0 β 5.6.12 (bez)5.7.0 β 5.7.10 (bez)5.8.0 β 5.8.5 (bez)6.0.0 β 6.0.5 (bez)6.1.0 β 6.1.2 (bez)
π’
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Related vulnerabilities
CVE-2026-22732CRITICAL9.1PL βten sam produkt
VMware Spring Security β brak zapisu nagΕΓ³wkΓ³w HTTP odpowiedzi
CVE-2022-31692CRITICAL9.8ten sam produkt
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rule...
CVE-2022-22978CRITICAL9.8ten sam produkt
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatc...
CVE-2014-3527CRITICAL9.8ten sam produkt
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could...
CVE-2026-40988HIGH7.5ten sam produkt
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Log...