fix(deps): update spring.security.version to v7.0.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.springframework.security:spring-security-web (source)	7.0.4 → 7.0.5
org.springframework.security:spring-security-config (source)	7.0.4 → 7.0.5

---

Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates

CVE-2026-22747 / GHSA-2jrg-rf5x-568g

More information

Details

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user.
This issue affects Spring Security: from 7.0.0 through 7.0.4.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22747
• https://spring.io/security/cve-2026-22747
• https://github.com/spring-projects/spring-security/commit/88118afb8f9357ae7cc215500a441e89fee701c3
• https://github.com/advisories/GHSA-2jrg-rf5x-568g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers

CVE-2026-22753 / GHSA-4wrg-8wpc-h923

More information

Details

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22753
• https://spring.io/security/cve-2026-22753
• https://github.com/advisories/GHSA-4wrg-8wpc-h923

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules

CVE-2026-22754 / GHSA-4vrc-j85c-598c

More information

Details

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-22754
• https://spring.io/security/cve-2026-22754
• https://github.com/advisories/GHSA-4vrc-j85c-598c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-security (org.springframework.security:spring-security-web)

v7.0.5

Compare Source

⭐ New Features

• Add XML Based shouldWriteHeadersEagerly tests #​19018
• Merge Add CredentialRecordOwnerAuthorizationManager #​19005

🪲 Bug Fixes

• Add equals and hashcode to HttpMethodRequestMatcher #​18963
• auth_time claim doesn't show the time of the original authentication #​18282
• auth_time validation fails when SSO session is renewed #​18978
• Fallback defaultTargetUrl if refererHeader is empty #​18981
• Fix HttpSessionRequestCache#getMatchingRequest query string parsing #​18972
• Merge Handle null value in OnCommittedResponseWrapper header methods #​18990
• OAuth2 client sessionManagement ineffective with DefaultOidcUser #​19022

🔨 Dependency Upgrades

• Bump @springio/antora-extensions from 1.14.10 to 1.14.11 in /docs #​19054
• Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs #​18953
• Bump @springio/antora-extensions from 1.14.9 to 1.14.10 in /docs #​19029
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.17 to 1.0.0-alpha.18 in /docs #​18957
• Bump actions/upload-artifact from 7.0.0 to 7.0.1 #​19096
• Bump com.webauthn4j:webauthn4j-core from 0.31.1.RELEASE to 0.31.2.RELEASE #​19021
• Bump com.webauthn4j:webauthn4j-core from 0.31.2.RELEASE to 0.31.3.RELEASE #​19114
• Bump io.projectreactor:reactor-bom from 2025.0.4 to 2025.0.5 #​19080
• Bump org.apache.maven:maven-resolver-provider from 3.9.14 to 3.9.15 #​19111
• Bump org.springframework.data:spring-data-bom from 2025.1.4 to 2025.1.5 #​19113
• Bump org.springframework.ldap:spring-ldap-core from 4.0.2 to 4.0.3 #​19098
• Bump org.springframework:spring-framework-bom from 7.0.6 to 7.0.7 #​19112
• Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 #​18996
• Bump spring-io/spring-release-actions from 0.0.3 to 0.0.4 #​19095
• Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml from 1.0.14 to 1.0.15 #​18948

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​rwinch

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.