Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22747

CVE-2026-22747: Spring Security Auth Bypass Vulnerability

CVE-2026-22747 is an authentication bypass vulnerability in VMware Spring Security affecting versions 7.0.0 through 7.0.4. Attackers can exploit malformed X.509 certificates to impersonate users. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2026-22747 Overview

CVE-2026-22747 is a certificate validation vulnerability [CWE-297] in Spring Security affecting versions 7.0.0 through 7.0.4. The SubjectX500PrincipalExtractor component fails to correctly parse certain malformed Common Name (CN) values within X.509 certificates. An attacker who crafts a certificate with a specific malformed CN can cause the extractor to read the wrong value as the authenticated username. This parsing flaw enables user impersonation in applications that rely on X.509 client certificate authentication.

Critical Impact

An authenticated attacker on the network can impersonate other users by presenting a crafted X.509 certificate, leading to high confidentiality and integrity loss.

Affected Products

  • Spring Security 7.0.0 through 7.0.4
  • Applications using SubjectX500PrincipalExtractor for X.509 authentication
  • VMware Spring framework deployments relying on certificate-based user identification

Discovery Timeline

  • 2026-04-22 - CVE-2026-22747 published to NVD
  • 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-22747

Vulnerability Analysis

The vulnerability resides in Spring Security's SubjectX500PrincipalExtractor, the component responsible for extracting a principal identifier from an X.509 certificate's Subject Distinguished Name (DN). When the extractor encounters specific malformed CN attribute values inside the Subject DN, it does not parse the field according to the expected RFC 2253 grammar. Instead, it returns an unintended substring as the username.

Applications consuming this principal name treat the returned value as a verified identity. An attacker who controls the certificate content can therefore steer the extractor to emit the username of a victim account. The resulting authentication decision binds the attacker's session to the victim's identity within the application's authorization layer.

This category of flaw is classified as Improper Validation of Certificate with Host Mismatch [CWE-297] and is consistent with prior certificate parsing defects. The network attack vector and low privilege requirement reflect that an attacker only needs the ability to present a client certificate during TLS mutual authentication.

Root Cause

The root cause is incorrect handling of CN values that contain reserved characters, escaped sequences, or embedded DN-style separators. The extractor's parsing logic accepts these malformed values rather than rejecting them or normalizing them to a canonical form. As a result, the attribute boundary that defines where the CN ends is misidentified, and a different portion of the DN is returned as the username.

Attack Vector

An attacker generates an X.509 certificate whose Subject DN contains a crafted CN designed to exploit the parsing inconsistency. The attacker then presents this certificate during mutual TLS authentication to a Spring Security-protected endpoint. Spring Security extracts what it believes is the CN, returning the attacker's chosen victim username. The application then issues a session bound to the victim identity.

No synthetic exploit code is published for this advisory. Technical details are available in the Spring Security Advisory for CVE-2026-22747.

Detection Methods for CVE-2026-22747

Indicators of Compromise

  • Client certificates whose Subject DN contains unusual escape sequences, embedded commas, equals signs, or multi-value RDN syntax inside the CN field
  • Authentication events where the principal name resolved from a certificate does not match the certificate's serial number or fingerprint history for that user
  • Successful X.509 authentications followed by activity inconsistent with the claimed user's normal behavior, such as new source IP, geolocation, or access patterns

Detection Strategies

  • Log the full Subject DN and SHA-256 fingerprint of every presented client certificate, then alert on DNs containing characters outside the expected character set for CN fields
  • Correlate the resolved username with the certificate fingerprint across historical authentications and flag mismatches
  • Inspect Spring Security audit logs for parsing warnings or anomalies from SubjectX500PrincipalExtractor

Monitoring Recommendations

  • Forward Spring Security authentication logs to a centralized analytics platform and build identification rules that join certificate fingerprint to resolved principal
  • Monitor for the issuance or use of client certificates with CN values containing \, ,, =, or + characters
  • Track Spring Security version inventory across services to confirm that no instance remains on 7.0.0 through 7.0.4

How to Mitigate CVE-2026-22747

Immediate Actions Required

  • Upgrade Spring Security to a fixed release above 7.0.4 as published in the vendor advisory
  • Audit all applications that configure SubjectX500PrincipalExtractor or rely on X.509 client certificate authentication
  • Revoke and reissue client certificates issued from internal certificate authorities that may have accepted malformed CN values

Patch Information

VMware has published guidance and fixed versions in the Spring Security Advisory for CVE-2026-22747. Apply the upgrade through standard dependency management, then redeploy affected services. Verify the upgrade by inspecting the resolved spring-security-core artifact version at runtime.

Workarounds

  • Replace SubjectX500PrincipalExtractor with a custom X509PrincipalExtractor that validates the CN against a strict allowlist of characters before returning it
  • Constrain the issuing certificate authority to reject certificate signing requests whose CN contains DN reserved characters or escape sequences
  • Enforce additional authentication factors beyond the certificate principal so that a forged CN alone does not grant access
bash
# Configuration example
# Verify the resolved Spring Security version in a Gradle project
./gradlew dependencyInsight --dependency spring-security-core

# Or with Maven
mvn dependency:tree -Dincludes=org.springframework.security:spring-security-core

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne