Unauthorized User Impersonation when Using X.509 Client Certificates_CVE-2026-47838

6.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.

Affected versions:
Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.

Basic Information

ID CVE-2026-47838

Source vmware

Published Jun 9, 2026 at 23:50

Affected Product

Vendor Spring

Product Spring Security

Version 5.7.0

Affected Versions Spring Spring Security 5.7.0
Spring Spring Security 5.8.0
Spring Spring Security 6.3.0
Spring Spring Security 6.4.0
Spring Spring Security 6.5.0

CWE Classification

CWE-287

References

spring.io /security/cve-2026-47838

{
    "lastseen": "",
    "description": "SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.",
    "published": "2026-06-09T23:50:07.988Z",
    "modified": "2026-06-09T23:50:07.988Z",
    "type": "cve",
    "title": "Unauthorized User Impersonation when Using X.509 Client Certificates",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-47838",
    "id": "CVE-2026-47838",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Security 5.7.0\nSpring Spring Security 5.8.0\nSpring Spring Security 6.3.0\nSpring Spring Security 6.4.0\nSpring Spring Security 6.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Security",
    "version": "5.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}