VMware Tanzu: Various Spring products are attackable
Attackers can exploit vulnerabilities in VMware Tanzu Spring Boot, Framework, and Security. Security patches are available for download.
(Image: Artur Szczybylo / Shutterstock.com)
If attackers exploit a "critical" security vulnerability in the VMware Tanzu Spring Security authentication and access control framework, they can access protected data. Further software vulnerabilities endanger Spring Boot and Framework. So far, there are no reports of attacks. Security updates provide a remedy.
Protect instances from possible attacks
As indicated in a warning message, versions no longer in support are also threatened by the "critical" vulnerability (CVE-2026-22732) in Spring Security. Errors can occur when handling HTTP headers, allowing attackers to gain unauthorized access to sensitive data. However, according to the developers, versions 5.7.22, 5.8.24, 6.3.15, 6.4.15, 6.5.9, and 7.0.4 are protected.
Videos by heise
In the context of Spring Boot, attackers can bypass authentication, among other things (e.g., CVE-2026-22731 "high"). Versions 2.7.32, 3.3.18, 3.4.15, 3.5.12, and 4.0.4 are patched here. Following attacks on Spring Framework, information can leak (CVE-2026-22737 "medium"). The vulnerability is fixed in versions 5.3.47, 6.1.26, 6.2.17, and 7.0.6.
(des)
