Unauthorized Session Creation via Reserved Framework Path Access
Severity:
Medium (Base score 5.3) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
CVE entry:
Overview
An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the `/VAADIN` endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
See CWE-284 Improper Access Control
Description
An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the `/VAADIN` endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
Affected products and mitigation
Users of affected versions should upgrade to a fixed version.
| Product version | Mitigation |
|---|---|
|
Vaadin 14.0.0 - 14.14.0
|
Upgrade to 14.14.1
|
|
Vaadin 23.0.0 - 23.6.6
|
Upgrade to 23.6.7
|
|
Vaadin 24.0.0 - 24.9.7
|
Upgrade to 24.9.8 or newer
|
|
Vaadin 25.0.0 - 25.0.1
|
Upgrade to 25.0.2 or newer
|
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, or 24 version.
Artifacts
| Maven coordinates | Vulnerable version | Fixed version |
|---|---|---|
| com.vaadin:flow-server | 14.0.0 - 14.14.0 | ≥14.14.1 |
| com.vaadin:flow-server | 23.0.0 - 23.6.6 | ≥23.6.7 |
| com.vaadin:flow-server | 24.0.0 - 24.9.7 |
≥24.9.8 |
| com.vaadin:flow-server |
25.0.0 - 25.0.1
|
≥25.0.2 |
References
History
- 2026-03-10: Initial vulnerability report published