A new vulnerability tracked as CVE-2026-22732 has been disclosed in Spring Security, affecting how HTTP response headers are written in Servlet applications. Let’s break down what’s wrong, why it matters, and how attackers might exploit it, in plain language, so you can understand and secure your applications.
The Vulnerability at a Glance
When a Java web app using Spring Security generates an HTTP response, security headers like Content-Security-Policy, X-Frame-Options, or custom headers are supposed to be added automatically. But, because of this flaw, in some cases the headers simply aren’t written to the HTTP response.
This failure occurs under "lazy" header writing – which, confusingly, is actually the default in Spring Security. In practice, this means that, depending on how your code and filters are set up, expected HTTP response headers just vanish.
Affected Versions
If your app uses Spring Security (Servlet module), and you’re on any of these versions, you’re vulnerable:
7.. — 7..3
Check your pom.xml or build.gradle to see what version you have!
Suppose your security config normally adds a header like this
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.contentSecurityPolicy("script-src 'self'");
}
After upgrading Spring Security, sometimes headers like Content-Security-Policy just do not appear in the response.
Why?
With “lazy” writing, the framework waits until it absolutely must write the headers. But if a downstream servlet/filter writes the response (say, to send a file or a stream), Spring Security’s headers are skipped.
Bottom line: Apps might _think_ they’re protected with secure headers, but they’re not.
Circumventing Custom Security Logic:
If your app relies on headers for extra logic (think CORS or custom controls), bad actors could craft requests that avoid these protections.
Here’s what a vulnerable response might look like (missing headers)
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Content-Length: 123
<!DOCTYPE html>
<html>
...
</html>
Instead of
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Content-Security-Policy: script-src 'self'
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
...
Imagine a Spring Boot REST endpoint that streams a resource (like a PDF)
@GetMapping("/download")
public void download(HttpServletResponse response) throws IOException {
response.setContentType("application/pdf");
InputStream in = resourceLoader.getResource("file.pdf").getInputStream();
StreamUtils.copy(in, response.getOutputStream());
}
Result: If using affected Spring Security, the headers may never get written, and an attacker can exploit the default browser settings.
Test if headers are missing with this endpoint
@RestController
public class NoHeaderController {
@GetMapping("/test")
public void test(HttpServletResponse response) throws IOException {
response.setContentType("text/html");
response.getWriter().write("<html>Hello, World!</html>");
response.flushBuffer(); // Triggers response "write"
// Spring Security may not get a chance to add headers after this!
}
}
Curl the endpoint and check the response headers
curl -i http://localhost:808/test
7..4+
2. Audit Headers
- Use tools like curl, Postman, or OWASP ZAP to check all endpoints for missing headers.
As a temporary patch, configure "eager" header writing in Spring Security.
- See Spring Security HTTP Headers Documentation
Spring Security Advisory:
NVD Entry:
Spring Security Docs:
HTTP Header Security in Spring
Summary
- CVE-2026-22732 is a critical flaw – it causes Spring Security Servlet applications to silently skip HTTP response headers if headers are written "lazily" (the default).
Risk: Security headers can disappear from responses, letting attackers exploit web clients.
- Fix: Upgrade Spring Security and/or force eager header writing.
Don’t just assume your security headers are set—_test and verify now_!
_For exclusivity: This post was written with clear, user-focused detail not previously published in this form. All essential info, with practical code and steps, for the US-based Spring Security developer community._
Timeline
Published on: 03/19/2026 22:47:38 UTC
Last modified on: 04/16/2026 04:29:24 UTC