VMware Tanzu Spring Security: Attackers can log in malicious clients

Attackers can exploit a total of seven vulnerabilities in VMware Tanzu Spring Security and, in the worst case, execute their code. Security updates are now available. Even though the software manufacturer has not yet indicated any attacks, administrators should install the patches promptly.

Tanzu Spring Security is an authentication and access control framework designed to make handling Spring-based applications as secure as possible. However, it is now becoming a security risk itself.

Various Dangers

According to a warning, one of the most dangerous is a “critical” vulnerability (CVE-2026-22752) in the context of dynamic client registration. Because metadata fields are not sufficiently checked during the registration of a new client, attackers can place an exploit there. However, they must already have a valid initial access token. If an attack is successful, attackers can register a client under their control and execute malicious code, among other things, as part of stored XSS attacks.

Two further vulnerabilities are classified as “high” threat level (CVE-2026-22754, CVE-2026-22753). Because attackers can send requests to paths that should actually be protected, security mechanisms can be bypassed.

Install Security Patches

The developers assure that the security issues have been resolved in Tanzu Spring Security version 7.0.5 and Spring Authorization Server 1.3.11, 1.4.10, and 1.5.7.

Admins can find further details on the software vulnerabilities and threatened and secured versions in the security section of the VMware Tanzu website.

(des)