GHSA-293Q-567P-WMWQ
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-30 21:35
VLAI?
Summary
Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates
Details
In Spring Security Web, SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.
SubjectDnX509PrincipalExtractor is deprecated by this CVE and replaced with SubjectX500PrincipalExtractor. As part of updating, you should also migrate to SubjectX500PrincipalExtractor.
Affected versions: Spring Security Enterprise 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10. OSS 6.5.0 through 6.5.10.
Severity ?
6.8 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.10"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-web"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-web"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"last_affected": "6.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-web"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"last_affected": "6.3.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-web"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.0"
},
{
"last_affected": "5.8.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.7.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47838"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T21:35:09Z",
"nvd_published_at": "2026-06-10T00:16:54Z",
"severity": "MODERATE"
},
"details": "In Spring Security Web, `SubjectDnX509PrincipalExtractor` does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\n\n`SubjectDnX509PrincipalExtractor` is deprecated by this CVE and replaced with `SubjectX500PrincipalExtractor`. As part of updating, you should also migrate to `SubjectX500PrincipalExtractor`.\n\nAffected versions:\nSpring Security Enterprise 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10. \nOSS 6.5.0 through 6.5.10.",
"id": "GHSA-293q-567p-wmwq",
"modified": "2026-06-30T21:35:09Z",
"published": "2026-06-10T00:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47838"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2jrg-rf5x-568g"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-47838"
},
{
"type": "PACKAGE",
"url": "spring-projects/spring-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…