Description

If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.

Affected Spring Products and Versions

Spring Security:

• 7.0.0 - 7.0.4

Spring Security 6.x and earlier are not affected; the described issue applies to XML intercept-url servlet path handling in Spring Security 7.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

If you are not able to upgrade, you can place the servlet path directly in the URL as follows:

<sec:intercept-url pattern="/servlet-path/endpoint/**" access="authenticated"/>

Use an access expression (or other supported authorization attributes) appropriate for your application.

Credit

The issue was identified and responsibly reported by Apex, a Cantinas AppSec agent.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C/CR:L/IR:H/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:H/MA:N&version=3.1

History

• 2026-04-20: Initial vulnerability report published.