CVE-2026-22732: Under Some Conditions Spring Security HTTP Headers Are not Written
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers:
: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
Other sources
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.
— NVD
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-22732?
CVE-2026-22732 is considered a medium severity vulnerability due to its potential impact on the integrity of HTTP response headers.
How do I fix CVE-2026-22732?
To resolve CVE-2026-22732, upgrade Spring Security to version 5.7.22, 5.8.24, 6.3.15, 6.4.15, 6.5.9, or 7.0.4 or later.
What are the affected versions for CVE-2026-22732?
CVE-2026-22732 affects Spring Security versions from 5.7.0 to 5.7.21, 5.8.0 to 5.8.23, 6.3.0 to 6.3.14, 6.4.0 to 6.4.14, 6.5.0 to 6.5.8, and 7.0.0 to 7.0.3.
What applications are impacted by CVE-2026-22732?
Applications using Spring Security for managing HTTP response headers may experience issues due to CVE-2026-22732.
Is CVE-2026-22732 related to security headers?
Yes, CVE-2026-22732 specifically relates to the improper writing of HTTP response security headers in affected Spring Security versions.