CVE-2026-22732: Critical Spring Security Flaw (CVSS 9.1) Exposes Applications via Reachable Attack Path

A critical vulnerability in the Spring Security ecosystem has been flagged in automated dependency scanning, raising concerns for organizations running Java applications built on Spring Boot. The flaw, tracked as CVE-2026-22732, carries a CVSS score of 9.1—placing it in the upper echelon of severity ratings—and is classified as reachable, meaning an attacker could potentially exploit it through application code paths actively in use.

The vulnerability traces to spring-security-web-6.5.5.jar, a transitive dependency bundled within spring-boot-starter-security-3.5.6.jar. Path analysis confirms the flawed component sits within the library chain pulled by Maven configurations, specifically at /pom.xml, and resolves to /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-starter-security/3.5.6/. The Exploit Prediction Scoring System (EPSS) currently registers below 1%, suggesting limited public exploitation in the wild—but the absence of defined exploit maturity and the lack of a remediation path (Fixed in: N/A) keeps this in a precarious state. The Dependabot alert, generated by the devops-infra/action-commit-push-1.0.3 workflow, was auto-closed after detection.

For development teams, the implications are direct: applications depending on this specific version of Spring Security may be exposed without an immediate patch available. The reachable classification means the vulnerable code is not buried in unused functions but sits along executable paths, increasing the practical risk of exploitation if an attack vector matures. Organizations should audit Maven dependency trees for spring-security-web-6.5.5, consider upgrading paths once patches are released, and monitor the Spring Security advisory channels for updates. The combination of high severity, reachable attack surface, and outstanding fix availability makes this a priority item for security and DevOps teams.