A critical security vulnerability has been disclosed in Spring Security Authorization Server, exposing enterprise Java applications to Stored Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF).
Privilege Escalation attacks through insufficient validation of Dynamic Client Registration metadata fields. Organizations running Spring Authorization Server or Spring Security 7.0. x must apply emergency patches immediately.
CVE-2026-22752: Critical Spring Security Flaw
CVE-2026-22752 affects the OAuth2/OpenID Connect Dynamic Client Registration (DCR) endpoints of the Spring Security Authorization Server. When Dynamic Client Registration is explicitly enabled, these endpoints fail to perform adequate validation on certain client metadata fields submitted during registration.
This design flaw allows an authenticated attacker with a valid Initial Access Token to dynamically register a malicious OAuth2 client using carefully crafted, weaponized metadata.
The vulnerability carries a CVSS v3.1 score of 9.6 with the vector string AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, indicating network-exploitable, low-complexity attack conditions with high impact on confidentiality and integrity across a changed security scope.
The exploitation path begins when an attacker acquires a legitimate Initial Access Token (IAT), obtained through social engineering, credential theft, or insider access, and then uses it to invoke the Dynamic Client Registration endpoint.
The attacker submits a crafted registration request containing malicious payloads embedded in metadata fields such as client_name, redirect_uris, logo_uri, policy_uri, or tos_uri.
Because the Authorization Server performs insufficient validation on these metadata fields, the server stores the malicious payload as-is in its client registry.
Depending on the server configuration and subsequent use of the registered client data, this triggers one or more of the following attack chains:
- Stored XSS: Malicious script injected via metadata fields (e.g.,
client_name) executes in admin consoles or portals that render client details, hijacking administrator sessions - Privilege Escalation: Attacker registers a client with elevated scope claims or grants not intended for their access tier, enabling unauthorized access to protected resources
- Server-Side Request Forgery (SSRF): Crafted
logo_uriorpolicy_urimetadata forces the server to make outbound HTTP requests to internal network resources or cloud metadata endpoints (e.g.,169.254.169.254), leaking sensitive infrastructure data
The scope change (S:C) in the CVSS vector underscores the critical reality: a low-privileged attacker can breach systems and resources well beyond their original authorization boundary.
Affected Products and Versions
The vulnerability impacts multiple release lines across Spring’s ecosystem. The following versions are confirmed affected:
| Product | Affected Versions | Fixed Version | Availability |
|---|---|---|---|
| Spring Security | 7.0.0 – 7.0.4 | 7.0.5 | OSS (Free) |
| Spring Authorization Server | 1.3.0 – 1.3.10 | 1.3.11 | Commercial |
| Spring Authorization Server | 1.4.0 – 1.4.9 | 1.4.10 | Commercial |
| Spring Authorization Server | 1.5.0 – 1.5.6 | 1.5.7 | OSS (Free) |
Notably, fixes for the 1.3. x and 1.4. x branches are available. Organizations on these versions must have an active commercial subscription to access the patched releases, making this a particularly urgent concern for enterprises locked into these maintenance branches.
Dynamic Client Registration is part of the OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591) and the OpenID Connect Dynamic Client Registration 1.0 specification.
It enables automated onboarding of OAuth2 clients in modern microservice architectures, API gateway ecosystems, and SaaS platforms, making it a common feature in large enterprise deployments.
The use of an Initial Access Token as the authentication prerequisite is a deliberately minimal security gate in the spec, designed for trusted automation flows.
CVE-2026-22752 demonstrates that when metadata validation is absent, this trust model becomes a direct attack surface for privilege abuse and persistent injection attacks.
With Spring Security powering a significant percentage of enterprise Java applications globally, the blast radius of this flaw is substantial.
This vulnerability also follows a broader pattern of critical Spring Security flaws in 2026. Earlier in March, CVE-2026-22732 exposed a critical issue where HTTP security headers were silently dropped in servlet applications, leaving systems exposed while appearing secure.
The disclosures signal an ongoing security audit of the spring security advisories and demand heightened patch discipline from security teams.
Immediate Mitigation
Security teams should take the following actions without delay:
- Audit your deployment – Identify whether Dynamic Client Registration (
/connect/registerendpoint) is enabled in your Spring Authorization Server configuration - Apply patches immediately – Upgrade to Spring Security 7.0.5 or Spring Authorization Server 1.5.7 (OSS), or obtain 1.3.11/1.4.10 through Spring commercial support
- Review registered clients – Audit all dynamically registered clients in your registry for potential suspicious activity
client_name,redirect_uri,logo_uri,policy_uri, ortos_urivalues - Restrict Initial Access Token issuance – Tighten controls on who can obtain IATs and consider disabling DCR entirely if not actively required
- Enable WAF rules – Deploy Web Application Firewall rules to detect and block XSS and SSRF payloads targeting the
/connect/registerendpoint
FAQ
Q1: Does CVE-2026-22752 affect all Spring Authorization Server deployments?
No, the vulnerability is only exploitable when Dynamic Client Registration is explicitly enabled in the server configuration.
Q2: Do attackers need admin credentials to exploit this flaw?
No, only a valid Initial Access Token is required, which represents a low-privilege authentication prerequisite.
Q3: Are fixes available for free for all affected versions?
Only Spring Security 7.0.5 and Spring Authorization Server 1.5.7 are available as OSS; fixes for 1.3. x and 1.4.x require a commercial Spring Enterprise subscription.
Q4: Can turning off Dynamic Client Registration fully mitigate the risk before patching?
Yes, if DCR is not operationally required, turning off the /connect/register endpoint removes the attack surface entirely as an interim mitigation.
Site: https://thecybrdef.com
About the Author
