← volver
CVE-2026-47838

Unauthorized User Impersonation when Using X.509 Client Certificates

CVSS 6.8 MEDIUMEPSS 0.1%CWE-287
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.8EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
09 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Productos afectados
Spring · Spring Security

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://spring.io/security/cve-2026-47838