Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jasw-zntp-nkdd
Vulnerability ID VCID-jasw-zntp-nkdd
Aliases CVE-2018-1258
GHSA-cxrj-66c5-9fmh
Summary Incorrect Authorization Spring Framework when used in combination with Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-287 Improper Authentication
System Score Found at
cvssv3.1 8.8 https://access.redhat.com/errata/RHSA-2019:2413
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:2413
cvssv3 5.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1258.json
epss 0.00265 https://api.first.org/data/v1/epss?cve=CVE-2018-1258
cvssv3.1 8.8 https://github.com/advisories/GHSA-cxrj-66c5-9fmh
generic_textual HIGH https://github.com/advisories/GHSA-cxrj-66c5-9fmh
cvssv3.1 8.8 https://github.com/spring-projects/spring-framework
generic_textual HIGH https://github.com/spring-projects/spring-framework
cvssv3.1 8.8 https://github.com/spring-projects/spring-framework/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f1
generic_textual HIGH https://github.com/spring-projects/spring-framework/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f1
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1258
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2018-1258
cvssv3.1 8.8 https://pivotal.io/security/cve-2018-1258
generic_textual HIGH https://pivotal.io/security/cve-2018-1258
cvssv3.1 8.8 https://security.netapp.com/advisory/ntap-20181018-0002
generic_textual HIGH https://security.netapp.com/advisory/ntap-20181018-0002
cvssv3.1 8.8 https://web.archive.org/web/20200227032934/http://www.securityfocus.com/bid/104222
generic_textual HIGH https://web.archive.org/web/20200227032934/http://www.securityfocus.com/bid/104222
cvssv3.1 8.8 https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888
generic_textual HIGH https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888
cvssv3.1 8.8 https://web.archive.org/web/20200807033751/http://www.securitytracker.com/id/1041896
generic_textual HIGH https://web.archive.org/web/20200807033751/http://www.securitytracker.com/id/1041896
cvssv3.1 8.8 https://www.oracle.com/security-alerts/cpuapr2020.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuapr2020.html
cvssv3.1 8.8 https://www.oracle.com/security-alerts/cpujan2020.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujan2020.html
cvssv3.1 8.8 https://www.oracle.com/security-alerts/cpujan2021.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujan2021.html
cvssv3.1 8.8 https://www.oracle.com/security-alerts/cpujul2020.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujul2020.html
cvssv3.1 8.8 https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuoct2021.html
cvssv3.1 8.8 https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
generic_textual HIGH https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
cvssv3.1 8.8 https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
generic_textual HIGH https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
cvssv3.1 8.8 https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
generic_textual HIGH https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
cvssv3.1 8.8 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
generic_textual HIGH http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
cvssv3.1 8.8 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
generic_textual HIGH http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2019:2413
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1258.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1258
https://github.com/advisories/GHSA-cxrj-66c5-9fmh
https://github.com/spring-projects/spring-framework
https://github.com/spring-projects/spring-framework/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f1
https://github.com/spring-projects/spring-security/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f
https://github.com/spring-projects/spring-security/commit/fed15f2b01b763158f6650afa13059203366974
https://security.netapp.com/advisory/ntap-20181018-0002
https://web.archive.org/web/20200227032934/http://www.securityfocus.com/bid/104222
https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888
https://web.archive.org/web/20200807033751/http://www.securitytracker.com/id/1041896
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/104222
http://www.securitytracker.com/id/1041888
http://www.securitytracker.com/id/1041896
1578582 https://bugzilla.redhat.com/show_bug.cgi?id=1578582
CVE-2018-1258 https://nvd.nist.gov/vuln/detail/CVE-2018-1258
CVE-2018-1258 https://pivotal.io/security/cve-2018-1258
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2019:2413
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1258.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-cxrj-66c5-9fmh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-framework
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/spring-projects/spring-framework/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1258
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://pivotal.io/security/cve-2018-1258
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20181018-0002
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20200227032934/http://www.securityfocus.com/bid/104222
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20200807033751/http://www.securitytracker.com/id/1041896
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuapr2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujan2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujan2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujul2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.50208
EPSS Score 0.00265
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:37:41.447340+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2018-1258.yml 38.6.0