Customers are assessing the urgency of patching for CVE-2026-22732 (Spring Security HTTP Response Header Vulnerability). Specifically, there is a concern regarding whether the Config-Server and Service-Registry (Eureka) apps implement Spring Security and use it to specify HTTP response headers that might be omitted due to this vulnerability.

VMware Tanzu Platform Spring 

CVE-2026-22732 involves a bug where Spring Security fails to write configured HTTP response headers in specific Servlet-based environments. For an application to be practically affected, it must rely on Spring Security to inject these headers. More information availbale in the KB https://knowledge.broadcom.com/external/article/434435/cve202622732-spring-security-http-respon.html and official advisory https://spring.io/security/cve-2026-22732 

• Security scans may flag Spring Security versions prior to 6.5.9, 6.4.4, or 6.3.10 as vulnerable to CVE-2026-22732.
• Concerns regarding the missing security headers (e.g., HSTS, CSP, X-Frame-Options) in SCS system components.

Based on a technical review of the Config-Server and Service-Registry (Eureka) implementations within Spring Cloud Services:

1. Spring Security Usage: Both Config-Server and Service-Registry utilize Spring Security for authentication and authorization.
2. Header Configuration: Neither application is configured to set custom or standard security response headers via Spring Security.
3. Code Analysis:
   • In the Service-Registry (Eureka) codebase, the only instance of an explicit response header being written is tied to a debug property: eureka.server.version.filter.debug.response-header.
   • This header is only added if the debug property is explicitly enabled by the user; otherwise, it is skipped in production environments.
   • Config-Server does not perform manipulations of HTTP response headers that would be impacted by this specific vulnerability.

While these components use affected versions of Spring Security, they do not implement the specific header-writing behavior that triggers the vulnerability. Therefore, the risk to Config-Server and Service-Registry for CVE-2026-22732 is considered minimal.

Despite the low immediate risk, it is recommended to upgrade to SCS 3.3.16 (or the latest available patch) which includes Spring Security 6.5.9 to ensure general security hygiene and compliance with vulnerability scan requirements.