Applications utilizing Spring Security for Servlet-based environments may fail to write HTTP response headers even when they are explicitly configured. This can result in missing security headers (e.g., HSTS, CSP, X-Frame-Options), potentially leaving the application vulnerable to browser-based attacks.

Spring Security

This issue is caused by a long-standing latent bug within Spring Security that was exposed following updates in Spring Framework 7.0.5. The vulnerability specifically impacts applications performing non-standard or highly specific manipulations of HTTP response headers.

To remediate this vulnerability, upgrade to the appropriate patched version of Spring Security. The fix is contained entirely within the Spring Security component.
https://spring.io/security/cve-2026-22732