A serious security flaw has been uncovered in Spring Security Authorization Server, raising concerns for organizations that rely on it for authentication and access control. The vulnerability, tracked as CVE-2026-22752, affects environments where Dynamic Client Registration is enabled—a feature commonly used in OAuth-based systems to onboard new clients automatically.

The issue came to light after being reported by security researcher Kelvin Mbogo and was officially disclosed by the Spring Security team in April 2026. At its core, the flaw is caused by improper validation of client-supplied metadata during the registration process. While this might sound like a minor oversight, it opens the door to a chain of serious attacks.

In practical terms, an attacker with a valid Initial Access Token can register a malicious OAuth client and inject carefully crafted data into the system. This can lead to stored cross-site scripting (XSS), where harmful scripts are embedded and executed within the authorization interface. Over time, this allows attackers to manipulate sessions or steal sensitive information without users even realizing it.

The risk doesn’t stop there. The same vulnerability can also be used for privilege escalation, enabling attackers to gain access levels beyond what they were originally granted. Additionally, it can trigger server-side request forgery (SSRF), tricking the server into making unauthorized requests to internal systems. This combination makes the flaw particularly dangerous in modern cloud and microservices environments, where internal services are often interconnected.

What makes this vulnerability especially critical is how easy it is to exploit. It can be executed remotely, requires only minimal access, and doesn’t need any user interaction. Given that OAuth authorization servers sit at the heart of authentication workflows, a successful exploit could result in account takeovers, lateral movement across systems, and even large-scale data breaches.

Multiple versions of Spring Security and Spring Authorization Server are affected, but patches have already been released. Organizations are strongly urged to upgrade to the latest versions immediately. For those unable to patch right away, disabling Dynamic Client Registration endpoints can serve as a temporary safeguard.

This incident serves as a strong reminder of how even small validation gaps in authentication systems can lead to major security risks. With both XSS and SSRF present in a single exploit chain, the attack surface expands significantly, making proactive patching and configuration reviews more important than ever.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com