CVE-2026-47838: Spring Security X.509 Certificate DN Parsing Flaw Allows User Impersonation
Spring Security contains a flaw in how it processes X.509 certificate subject names (the DN field used for authentication). When a certificate contains a specially crafted Common Name (CN) value, Spring Security may misread it and extract the wrong username. An authenticated attacker could exploit this by presenting a malformed certificate to impersonate another user. The vulnerability affects multiple Spring Security versions across the 5.7, 5.8, 6.3, 6.4, and 6.5 release lines.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-287
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-30
NVD description (verbatim)
SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The SubjectDnX509PrincipalExtractor class fails to properly validate and parse malformed X.509 certificate DN values, specifically in the CN field extraction logic. When a certificate subject name is crafted to contain ambiguous or non-standard CN formatting, the extractor reads an incorrect value and maps it to the wrong principal identity. This violates the authentication contract by allowing a certificate presented by one user to authenticate as a different user. The vulnerability is classified as CWE-287 (Improper Authentication), reflecting the core weakness in identity verification.
Business impact
Organizations relying on X.509 certificate-based authentication with Spring Security face a risk of unauthorized lateral movement and privilege escalation. An authenticated user with a valid certificate could craft a malformed certificate to gain access to another user's resources or permissions. In multi-tenant or federated identity environments, this could enable cross-tenant impersonation. The impact is heightened in systems where certificates are issued by external CAs or where certificate validation is delegated to infrastructure outside direct organizational control.
Affected systems
Spring Security versions 5.7.0–5.7.24, 5.8.0–5.8.26, 6.3.0–6.3.17, 6.4.0–6.4.17, and 6.5.0–6.5.10 are affected. Any Spring application or Spring Boot application using certificate-based authentication via X.509 principal extraction is at risk. The vulnerability applies regardless of whether X.509 authentication is the primary or secondary authentication method.
Exploitability
Exploitation requires an attacker to already be authenticated with a valid certificate (PR:L in the CVSS vector). The attacker must then craft a malformed certificate that causes the extraction logic to resolve to a different username. This is not trivial—it requires understanding the target system's DN parsing behavior and having access to certificate generation or interception capabilities. However, once a valid certificate is obtained, the barrier to crafting a malicious DN is moderate, making this a concern for environments with weaker certificate lifecycle controls.
Remediation
Apply security updates from VMware Spring Security to patch the DN parsing logic. Verify the specific patch versions for your branch (5.7, 5.8, 6.3, 6.4, or 6.5) against the vendor advisory. In addition to patching, implement defense-in-depth by validating certificate DNs at the application level and restricting which certificate issuers are trusted. Monitor authentication logs for anomalous certificate usage or DN values that do not conform to your organization's naming conventions.
Patch guidance
Upgrade to the first patched version available for your currently deployed Spring Security branch. VMware will release patches for all affected versions; consult the official Spring Security security advisory for exact version numbers and timelines. If you are on an older branch (5.7, 5.8), prioritize upgrading to a newer supported release (6.5 or later) rather than waiting for backported patches. Test patches in a staging environment with X.509 authentication enabled before production deployment to ensure certificate validation still works as expected.
Detection guidance
Enable detailed logging in Spring Security's authentication filters and examine DN extraction logs for unexpected or malformed subject names. Alert on authentication success when the extracted DN does not match the expected format for your organization. In environments with SIEM integration, create a correlation rule for certificate authentications where the CN field contains non-standard characters, escape sequences, or length anomalies. Review certificate revocation lists (CRLs) and audit logs for issued certificates with unusual DN values. Network monitoring tools can flag X.509 handshakes followed by privilege escalation or lateral movement.
Why prioritize this
Although the CVSS score of 6.8 (MEDIUM) reflects the requirement for prior authentication, the attack is high-impact and strikes at the root of identity trust. In any system where X.509 authentication is used, this is a critical business logic flaw. Prioritize patching for any organization using certificate-based authentication, especially those with federated or multi-tenant architectures. This vulnerability should not be deprioritized based on CVSS alone—organizational risk depends on reliance on X.509 for authentication.
Risk score, explained
The CVSS 3.1 score of 6.8 reflects a network-exploitable (AV:N) medium-severity impact with high complexity (AC:H) and a requirement for low-level authentication (PR:L). The vector shows high confidentiality and integrity impact (C:H/I:H) but no availability impact. The complexity modifier accounts for the difficulty of crafting a malformed certificate that exploits the specific parsing flaw. Organizations should adjust their risk posture upward if X.509 is a primary authentication mechanism or if certificate issuance is not tightly controlled.
Frequently asked questions
Does this vulnerability affect Spring Security if we don't use X.509 certificate authentication?
No. If your application uses other authentication methods (LDAP, OAuth, SAML, or form-based login), this vulnerability does not apply. However, verify your configuration to ensure X.509 authentication is not enabled as a fallback or secondary method.
Can an attacker exploit this without already having a valid certificate?
No. The vulnerability requires the attacker to present a certificate that passes initial validation (hence PR:L in the CVSS vector). An attacker without legitimate certificate credentials cannot trigger the flaw.
What should we do if we can't patch immediately?
Implement compensating controls: tighten certificate issuer policies, restrict accepted DN formats at the application layer, audit all certificate-based logins, and monitor for suspicious certificate usage. Request expedited patching from your organization's release management process. If X.509 is optional, consider disabling it temporarily in favor of alternative authentication methods.
How can we test if our application is vulnerable?
If possible, obtain or generate a test certificate with a carefully formatted CN field that deviates from your organization's standard (e.g., embedded special characters or escape sequences) and attempt authentication. Successful impersonation of another user confirms the vulnerability. For production environments, review the Spring Security advisory for provided proof-of-concept DN examples and test in staging first.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Specific patch availability, version numbers, and timelines must be verified against the official VMware Spring Security security advisory. Organizations should conduct their own risk assessment based on their use of X.509 authentication and certificate lifecycle practices. No liability is assumed for decisions made based on this analysis. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2023-5502MEDIUMArista EOS 802.1x Authentication Bypass Vulnerability
- CVE-2026-10283MEDIUMBottelet DaybydayCRM Authentication Bypass in Settings Handler
- CVE-2026-10548MEDIUMImproper Authentication in NousResearch hermes-agent Credential Synchronization
- CVE-2026-45153MEDIUMNextcloud Android Files App PIN Bypass via Back Button
- CVE-2026-45283MEDIUMNextcloud File Lock Authorization Bypass
- CVE-2026-45289MEDIUMCloudburstMC Protocol Authentication Validation Bypass (MEDIUM)
- CVE-2026-45690MEDIUMNextcloud 2FA Bypass via Session Token Replay
- CVE-2026-45691MEDIUMNextcloud 2FA Bypass via Session Cookie Reuse on DAV Endpoints