CVE-2026-2742 in Flow
Summary
by MITRE • 03/10/2026
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.
Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.
Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.
Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability described in CVE-2026-2742 represents a critical authentication bypass issue within Vaadin applications that utilize Spring Security for access control. This flaw affects multiple version ranges spanning Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7, and 25.0.0 through 25.0.1, creating a significant security risk for organizations relying on these frameworks. The vulnerability stems from inconsistent path pattern matching behavior in the framework's handling of reserved paths, specifically the /VAADIN endpoint which serves as a critical framework resource for application functionality and user sessions.
The technical exploitation of this vulnerability occurs through a specific path matching inconsistency where accessing the /VAADIN endpoint without a trailing slash allows bypassing the security filters that should normally authenticate users before permitting access to framework initialization processes. This behavior creates a scenario where unauthenticated users can trigger the framework's initialization sequence and establish sessions without proper authorization, effectively undermining the entire authentication mechanism. The flaw operates at the framework level rather than application level, meaning that any Vaadin application using Spring Security and running on affected versions becomes vulnerable regardless of the application's specific security configurations. This type of vulnerability falls under CWE-284 Access Control Bypass and aligns with ATT&CK technique T1078 Valid Accounts, as it allows unauthorized access to privileged framework resources through improper access control implementation.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential session hijacking, privilege escalation, and unauthorized modification of framework state. Attackers can leverage this bypass to establish persistent sessions, manipulate framework resources, and potentially gain deeper access to the underlying application functionality. The vulnerability's persistence across multiple major versions indicates a fundamental flaw in the path matching logic that affects a substantial portion of Vaadin users. Organizations using Spring Security with Vaadin frameworks are particularly at risk as the security filters designed to protect framework resources become ineffective when users access specific paths without proper trailing slashes. This creates an attack surface that could enable adversaries to perform reconnaissance, session manipulation, and potentially gain access to sensitive application data or functionality.
The recommended remediation strategy involves upgrading to specific patched versions for each affected major release, with version 14.14.1, 23.6.7, 24.9.8, and 25.0.2 or newer providing the necessary fixes for this vulnerability. These upgrades address the path matching inconsistency that enables the authentication bypass, restoring proper security filter enforcement for framework resources. Security teams should prioritize upgrading all affected applications and verify that the patches have been properly applied to prevent exploitation. Additionally, organizations should consider implementing network-level protections such as web application firewalls to monitor and block suspicious access patterns to framework endpoints. The vulnerability serves as a reminder of the critical importance of proper path handling and access control implementation in web frameworks, particularly when integrating with security mechanisms like Spring Security. Given that Vaadin versions 10-13 and 15-22 are no longer supported, organizations should also plan migration to supported versions to avoid similar issues in the future, as unsupported versions may contain additional undiscovered vulnerabilities that could compromise system security.