CVE-2026-2742

MEDIUM EPSS 30.9%
Published Mar 10, 20263mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope N

Threat Intelligence

EPSS Exploit Probability
30.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-284

Affected Products 4

VendorProductVersionRange
vaadinvaadin*≥10.0.0  –  <14.14.1
vaadinvaadin*≥15.0.0  –  <23.6.7
vaadinvaadin*≥24.0.0  –  <24.9.8
vaadinvaadin*≥25.0.0  –  <25.0.2

References 7

  • github.com https://github.com/vaadin/flow/pull/22998
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23033
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23034
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23037
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23052
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23057
    Issue TrackingPatch
  • vaadin.com https://vaadin.com/security/cve-2026-2742
    Vendor Advisory

Remediation

  • github.com https://github.com/vaadin/flow/pull/22998
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23033
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23034
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23037
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23052
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23057
    Issue TrackingPatch