CVE-2026-47838: Spring Security Auth Bypass Vulnerability

CVE-2026-47838 Overview

CVE-2026-47838 affects Spring Security's SubjectDnX509PrincipalExtractor, which fails to correctly parse certain malformed X.509 certificate Common Name (CN) values. The flawed parsing logic can read the wrong value as the authenticated username. An attacker holding a carefully crafted certificate can exploit this behavior to impersonate another user within the application. The vulnerability is classified under CWE-287: Improper Authentication.

Critical Impact
Authenticated attackers with a maliciously crafted X.509 certificate can impersonate legitimate users, breaking authentication and authorization boundaries in applications that rely on Spring Security X.509 client certificate authentication.

Affected Products

Spring Security 5.7.0 through 5.7.24
Spring Security 5.8.0 through 5.8.26, 6.3.0 through 6.3.17
Spring Security 6.4.0 through 6.4.17 and 6.5.0 through 6.5.10

Discovery Timeline

2026-06-10 - CVE-2026-47838 published to NVD
2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-47838

Vulnerability Analysis

Spring Security supports X.509 client certificate authentication, extracting the principal identity from the certificate's Subject Distinguished Name (DN). The SubjectDnX509PrincipalExtractor applies a regular expression against the Subject DN to pull the CN value used as the username. When the certificate contains malformed CN attributes, the extraction logic selects the wrong substring as the principal identifier.

This parsing weakness shifts the trust boundary. An attacker who legitimately controls one certificate identity can craft DN content that the extractor maps to a different account name held by another user. The impact is a confidentiality and integrity break against authentication, without affecting service availability.

Root Cause

The root cause lies in how SubjectDnX509PrincipalExtractor tokenizes and matches the CN field within the Subject DN string. The extractor does not strictly validate or normalize the DN format, allowing crafted CN values with embedded separators, quoting, or duplicate attributes to mislead the username selection logic. This is an [CWE-287] improper authentication flaw rooted in input parsing, not in cryptographic validation of the certificate chain.

Attack Vector

Exploitation requires the attacker to possess a valid X.509 certificate that the target application accepts through its trust store and client authentication configuration. The attacker constructs the certificate so that its Subject DN contains a malformed CN designed to be misparsed. When the application authenticates the certificate, Spring Security extracts a username belonging to a different user, granting the attacker that user's privileges.

No authentication code examples are included because no verified proof-of-concept exists. Refer to the Spring Security Advisory for CVE-2026-47838 for vendor technical details.

Detection Methods for CVE-2026-47838

Indicators of Compromise

Authentication events where the certificate Subject DN contains unusual characters such as embedded commas, equals signs, quotes, or multiple CN= attributes.
Successful X.509 logins where the resolved username does not match the expected CN of the presented certificate.
Spikes in client certificate authentication failures followed by a successful login from the same client.

Detection Strategies

Log the full Subject DN alongside the resolved principal name for every X.509 authentication, then alert on mismatches between the literal first CN= value and the assigned username.
Audit application logs against the issued certificate inventory to identify principals authenticating with DNs not present in the certificate authority records.
Hunt for sessions where a single user identity is established from multiple distinct client certificate fingerprints in a short interval.

Monitoring Recommendations

Forward Spring Security authentication logs and reverse proxy mTLS logs into a centralized SIEM for correlation across the certificate chain and application principal.
Monitor issuance activity from internal certificate authorities for unexpected CN structures or DN attributes containing escaped delimiters.
Track changes to Spring Security versions across the application portfolio to confirm patched releases are deployed.

How to Mitigate CVE-2026-47838

Immediate Actions Required

Upgrade Spring Security to a fixed release line: 5.7.25, 5.8.27, 6.3.18, 6.4.18, or 6.5.11 or later, according to the Spring Security Advisory.
Inventory all applications using SubjectDnX509PrincipalExtractor or X.509 client certificate authentication and prioritize them for patching.
Review recent authentication logs for the indicators of compromise described above and revoke suspicious certificates.

Patch Information

Pivotal/Spring published fixes in the patched maintenance versions of each affected branch. Update the spring-security-web and related Spring Security artifacts to a non-vulnerable version and redeploy applications. Consult the Spring Security Advisory for CVE-2026-47838 for the authoritative patched version list.

Workarounds

Replace SubjectDnX509PrincipalExtractor with a custom X509PrincipalExtractor that performs strict RFC 4514 DN parsing and rejects malformed CN values.
Restrict the certificate authority trust store so that only internally issued certificates with controlled DN formats are accepted for client authentication.
Enforce additional authorization checks downstream of authentication, such as binding the certificate serial number or fingerprint to the expected user record.

bash

# Maven dependency upgrade example - replace with the patched version applicable to your branch
mvn versions:use-dep-version -Dincludes=org.springframework.security:spring-security-web -DdepVersion=6.5.11 -DforceVersion=true