Applications utilizing Spring Boot 3.1.x are impacted by a security vulnerability in Spring Security 6.1.x (identified as CVE-2026-22732). This vulnerability affects Spring Security web components, specifically regarding HTTP response header configurations.

Because Spring Security 6.1.x is no longer covered under standard Enterprise or extended support tiers, a direct patch may not be available for this specific branch.

• Product: VMware Tanzu Spring Runtime / Spring Essentials
• Version: Spring Boot 3.1.x
• Dependency: Spring Security 6.1.x

To mitigate the risk associated with CVE-2026-22732 without performing a major version upgrade, the Spring team has published official configuration workarounds.

Workaround Steps

1. Review Official Guidance: Access the detailed security advisory and specific code-based workarounds at the official Spring Security advisory page:
   • CVE-2026-22732 Workarounds and Mitigation
2. Apply Configuration Changes: Modify your SecurityFilterChain configuration to manually set or disable the specific headers identified in the advisory.

Recommended Long-Term Solution

The most secure course of action is to upgrade to a supported version of Spring Boot which includes patched versions of Spring Security.

Related Articles: 

• CVE-2026-22732: Spring Security HTTP Response Header Vulnerability
• Spring Security Advisories CVE-2026-22732