Spring Security Flaw Leaves HTTP Security Headers Unwritten
Spring disclosed CVE-2026-22732, a vulnerability in Spring Security in which HTTP security headers may not be written under certain conditions, weakening browser-side protections that applications rely on to reduce exposure to client-side attacks. The issue affects the framework’s handling of response headers, creating a risk that expected defenses are absent even when developers believe they are enabled.
Belgium’s CCB Safeonweb warned that the flaw can enable multiple types of client-side attacks and urged organizations to patch immediately. The combined advisories indicate that teams using Spring Security should review affected versions, apply vendor fixes, and verify that critical response headers are being sent correctly to browsers after remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Belgium CCB warns of client-side attacks in Spring Security and urges patching
The Belgian Centre for Cybersecurity published an advisory warning about multiple types of client-side attacks affecting Spring Security and told organizations to patch immediately.
Spring publishes advisory for CVE-2026-22732 in Spring Security
Spring issued a product security advisory for CVE-2026-22732, describing a flaw where Spring Security HTTP headers are not written under some conditions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Warning: Multiple types of client-side attacks in Spring Security, Patch Immediately! | CCB Safeonweb
ccb.belgium.be
Open sourcecve-2026-22732: Under Some Conditions Spring Security HTTP Headers Are not Written
spring.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Thymeleaf SSTI Bypass Enables Expression Injection in Spring Java Apps
A critical flaw tracked as **`CVE-2026-40478`** allows attackers to bypass Thymeleaf’s expression-injection protections and achieve **server-side template injection (SSTI)** in applications that pass unvalidated user input into the template engine. The vulnerability affects **Thymeleaf 3.1.3.RELEASE and earlier** and stems from improper neutralization of syntax patterns in expression execution, including a whitespace parsing mismatch that let attackers evade detection of the SpEL `new` keyword and an incomplete type blocklist that still allowed dangerous class instantiation. The issue is mapped to **`CWE-917`** and **`CWE-1336`**, with a published **CVSS v3.1** vector of **`AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H`**. Researchers said successful exploitation can enable arbitrary file writes and potentially remote code execution in **Spring-based Java applications**, where Thymeleaf is commonly used as the default template engine in Spring Boot. The flaw can be exploited remotely without authentication when attacker-controlled input reaches Thymeleaf expression parsing, view names, or fragment selectors. The issue is addressed in **`3.1.4.RELEASE`**, which normalizes whitespace before checks, expands external-access detection, restricts dangerous expression objects, and tightens type restrictions; defenders are urged to upgrade **`thymeleaf`**, **`thymeleaf-spring5`**, and **`thymeleaf-spring6`** and review applications to ensure untrusted input is never interpreted as template expressions.
Apr 29, 2026
Spring Cloud Config and Spring AI Flaws Expose Systems to RCE and SSRF
The Canadian Centre for Cyber Security issued advisory **AV26-288** warning that multiple vulnerabilities disclosed by Spring affect **Spring Cloud Config** and **Spring AI**, including **server-side request forgery (SSRF)**, unintended file access, query injection, and a **SpEL injection** that can lead to **remote code execution (RCE)**. The notice says the issues were disclosed by Spring between March 23 and 26 and urged organizations to review the vendor advisories and assess exposure in affected deployments. Affected versions include **Spring Cloud Config** releases prior to **3.1.3**, **4.1.9**, **4.2.6**, **4.3.2**, and **5.0.2**, along with **Spring AI** versions prior to **1.0.5** and **1.1.4**. The Cyber Centre advised administrators and users to apply the relevant updates to reduce the risk of exploitation against exposed services and vulnerable application environments.
May 25, 2026
Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for **Elasticsearch**, **Cassandra**, and **RabbitMQ** that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as `CVE-2026-40970`, `CVE-2026-40974`, and `CVE-2026-40971`, respectively, and could weaken certificate validation for connections to those backend services. A fourth advisory, `CVE-2026-40972`, affects **Spring DevTools** and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
May 24, 2026