Reference material — not professional advice. Test in staging, back up first, verify against your specific version. Use your own judgment for your environment.
● High · CVSS 7.5

How to Fix CVE-2026-22754: Spring Security (Bundle Sibling)

By Sai Kiran Pandrala

Last verified: 2026-05-25

CVE-2026-22754 is a sibling vulnerability in the same vendor advisory as CVE-2026-22746. Applying the patched build named in the primary write-up closes this CVE as well.

⚡ At a glance
SeverityCVSS 7.5 - High
Actively exploited?Not currently in CISA KEV
AffectedSame as the bundle - see CVE-2026-22746
Fixed inSame patched build as CVE-2026-22746 (See vendor advisory)
Type (CWE)Not verified

What's different about CVE-2026-22754?

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.

The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.

How to fix CVE-2026-22754

Apply the patched build per the primary write-up: How to Fix CVE-2026-22746.

The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.

Frequently asked questions

Is CVE-2026-22754 fixed by the same patch as CVE-2026-22746?

Yes. CVE-2026-22754 ships in the same vendor advisory as CVE-2026-22746. Applying the patched build named in the primary write-up closes both.

What is the CVSS score for CVE-2026-22754?

The CVSS base score is 7.5 (High).

Is it being exploited?

It is not currently listed in CISA KEV.

References

*Part of the Spring Security bundle. Full procedure at CVE-2026-22746.*