CVE-2026-22748 Overview
A vulnerability exists in Spring Security affecting JWT token validation when applications configure JWT decoding using NimbusJwtDecoder or NimbusReactiveJwtDecoder. When these decoders are used, applications must separately configure an OAuth2TokenValidator<Jwt> by calling setJwtValidator. Failure to properly configure validation can lead to improper input validation of JWT tokens, potentially allowing attackers to bypass security controls.
Critical Impact
Applications using Spring Security's Nimbus JWT decoders without proper validator configuration may accept invalid or malicious JWT tokens, potentially leading to unauthorized access or integrity bypass.
Affected Products
- Spring Security versions 6.3.0 through 6.3.14
- Spring Security versions 6.4.0 through 6.4.14
- Spring Security versions 6.5.0 through 6.5.9
- Spring Security versions 7.0.0 through 7.0.4
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-22748 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-22748
Vulnerability Analysis
This vulnerability is classified under CWE-20 (Improper Input Validation) and affects Spring Security's JWT authentication mechanisms. The issue arises from a configuration gap where applications using NimbusJwtDecoder or NimbusReactiveJwtDecoder must explicitly configure JWT validation through the setJwtValidator method. Without this additional configuration step, the JWT decoding process may not perform adequate validation checks on incoming tokens.
The network-based attack vector with high complexity requirements indicates that exploitation requires specific conditions to be met, including the target application having the vulnerable configuration pattern. The integrity impact is high, meaning successful exploitation could allow attackers to modify or forge authentication tokens.
Root Cause
The root cause stems from a design pattern in Spring Security's Nimbus JWT decoder implementation where token validation is decoupled from token decoding. While NimbusJwtDecoder and NimbusReactiveJwtDecoder handle the parsing and decoding of JWT tokens, the validation logic must be explicitly attached via OAuth2TokenValidator<Jwt>. Applications that configure JWT decoding without also configuring appropriate validators leave a security gap where tokens may not be properly validated for claims, expiration, issuer, or other critical fields.
Attack Vector
The vulnerability is exploitable over the network and requires low privileges but high attack complexity. An attacker would need to:
- Identify a target application using Spring Security with NimbusJwtDecoder or NimbusReactiveJwtDecoder
- Determine that the application has not properly configured OAuth2TokenValidator<Jwt>
- Craft malicious JWT tokens that would normally fail validation checks
- Submit these tokens to bypass authentication or authorization controls
The attack targets the integrity of the authentication process, potentially allowing unauthorized actions without impacting confidentiality or availability directly.
Detection Methods for CVE-2026-22748
Indicators of Compromise
- Unusual JWT token patterns in application logs that bypass standard validation rules
- Authentication events with tokens containing unexpected or missing claims
- Increased authentication activity from unknown or suspicious sources
- Application audit logs showing successful authentication with malformed tokens
Detection Strategies
- Review Spring Security configurations for NimbusJwtDecoder and NimbusReactiveJwtDecoder usage without corresponding setJwtValidator calls
- Implement application-level logging for JWT token validation failures and successes
- Monitor for JWT tokens with anomalous claim values or missing required fields
- Deploy static code analysis tools to identify vulnerable configuration patterns
Monitoring Recommendations
- Enable detailed authentication logging in Spring Security applications
- Monitor API endpoints accepting JWT authentication for unusual access patterns
- Implement alerting on authentication attempts with tokens that would fail strict validation
- Review application dependencies to identify affected Spring Security versions
How to Mitigate CVE-2026-22748
Immediate Actions Required
- Audit all applications using NimbusJwtDecoder or NimbusReactiveJwtDecoder for proper validator configuration
- Ensure setJwtValidator is called with appropriate OAuth2TokenValidator<Jwt> implementations
- Update Spring Security to patched versions when available
- Review authentication logs for signs of exploitation attempts
Patch Information
Spring has issued a security advisory for this vulnerability. Organizations should consult the Spring Security Advisory CVE-2026-22748 for detailed patching guidance and updated version information. Upgrade paths include moving to versions beyond the affected ranges:
- Upgrade from 6.3.x to version 6.3.15 or later
- Upgrade from 6.4.x to version 6.4.15 or later
- Upgrade from 6.5.x to version 6.5.10 or later
- Upgrade from 7.0.x to version 7.0.5 or later
Workarounds
- Explicitly configure OAuth2TokenValidator<Jwt> on all NimbusJwtDecoder and NimbusReactiveJwtDecoder instances
- Implement custom validators that verify issuer, audience, expiration, and other critical JWT claims
- Consider using alternative JWT decoder configurations that include built-in validation
- Add additional application-layer validation of JWT claims before processing requests
# Configuration example - Review Spring Security bean configuration
# Ensure JwtDecoder beans include validator configuration:
#
# @Bean
# public JwtDecoder jwtDecoder() {
# NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
# decoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(
# JwtValidators.createDefaultWithIssuer(issuerUri)
# ));
# return decoder;
# }
#
# Verify Spring Security version in pom.xml or build.gradle
grep -r "spring-security" pom.xml build.gradle 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
