By rssfeeds-admin The flaw impacts deployments that have enabled the Dynamic Client Registration feature, a component used in OAuth-based authentication systems.
The issue was reported by security researcher Kelvin Mbogo and officially disclosed by the Spring Security team on April 21, 2026.
According to the advisory, the vulnerability stems from improper validation of client-supplied metadata during dynamic registration.
How the Vulnerability Works
When Dynamic Client Registration is enabled, attackers with a valid Initial Access Token can register a malicious OAuth client.
By injecting specially crafted metadata, attackers can exploit the system in multiple ways:
- Stored Cross-Site Scripting (XSS): Malicious scripts can be permanently stored and executed within the authorization server interface.
- Privilege Escalation: Attackers may gain higher-level permissions than intended.
- Server-Side Request Forgery (SSRF): The server can be tricked into sending requests to internal systems, potentially exposing sensitive infrastructure.
This combination of attack vectors makes the flaw particularly dangerous, especially in modern cloud-native and microservices environments.
The vulnerability carries a high CVSS score with the vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). This means:
- It is remotely exploitable over the network.
- Requires low privileges to execute.
- Does not need user interaction.
- Can significantly impact confidentiality and integrity.
Since OAuth authorization servers are central to authentication workflows, a successful attack could lead to account takeover, lateral movement across services, and data exfiltration.
The following versions are confirmed vulnerable:
- Spring Security: 7.0.0 to 7.0.4
- Spring Authorization Server:
- 1.3.0 to 1.3.10
- 1.4.0 to 1.4.9
- 1.5.0 to 1.5.6
Spring has released patched versions to address the issue:
- Spring Security 7.0.x → upgrade to 7.0.5
- Spring Authorization Server 1.3.x → upgrade to 1.3.11
- Spring Authorization Server 1.4.x → upgrade to 1.4.10
- Spring Authorization Server 1.5.x → upgrade to 1.5.7
Organizations using commercial versions can access fixes via Spring Enterprise.
If immediate patching is not possible, security teams should disable Dynamic Client Registration endpoints as a temporary mitigation.
This vulnerability highlights the risks associated with improperly validated input in authentication systems.
The presence of both stored XSS and SSRF in a single exploit chain significantly increases the attack surface.
Security teams are strongly advised to review their configurations, audit OAuth client registrations, and apply updates without delay to prevent potential compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Spring Authorization Server Flaw Enables XSS, Privilege Escalation, and SSRF appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.