CVE-2026-22732: Spring Security HTTP Headers Are not Written Under Some Conditions

March 20, 2026

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

References

github.com/advisories/GHSA-mf92-479x-3373
github.com/spring-projects/spring-security
nvd.nist.gov/vuln/detail/CVE-2026-22732
spring.io/security/cve-2026-22732

Code Behaviors & Features

Detect and mitigate CVE-2026-22732 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →