Vulnerability-Lookup

WID-SEC-W-2026-0675

Vulnerability from csaf_certbund - Published: 2026-03-10 23:00 - Updated: 2026-03-10 23:00

Summary

Vaadin: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Vaadin ist eine Java Web Entwicklungsplattform.

Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Vaadin ausnutzen, um Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Sonstiges

CVE-2026-2741

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
Open Source Vaadin <23.6.7 Open Source / Vaadin		<23.6.7
Open Source Vaadin <24.9.8 Open Source / Vaadin		<24.9.8
Open Source Vaadin <25.0.4 Open Source / Vaadin		<25.0.4
Open Source Vaadin <23.6.8 Open Source / Vaadin		<23.6.8
Open Source Vaadin <24.9.10 Open Source / Vaadin		<24.9.10
Open Source Vaadin <14.14.1 Open Source / Vaadin		<14.14.1
Open Source Vaadin <25.0.2 Open Source / Vaadin		<25.0.2

CVE-2026-2742

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
Open Source Vaadin <23.6.7 Open Source / Vaadin		<23.6.7
Open Source Vaadin <24.9.8 Open Source / Vaadin		<24.9.8
Open Source Vaadin <14.14.1 Open Source / Vaadin		<14.14.1
Open Source Vaadin <25.0.2 Open Source / Vaadin		<25.0.2

References

5 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://vaadin.com/security/cve-2026-2741	external
https://vaadin.com/security/cve-2026-2742	external
https://bugzilla.redhat.com/show_bug.cgi?id=2446005	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Vaadin ist eine Java Web Entwicklungsplattform.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Vaadin ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0675 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0675.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0675 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0675"
      },
      {
        "category": "external",
        "summary": "Vaadin Vulnerability Report CVE-2026-2741 vom 2026-03-10",
        "url": "https://vaadin.com/security/cve-2026-2741"
      },
      {
        "category": "external",
        "summary": "Vaadin Vulnerability Report CVE-2026-2742 vom 2026-03-10",
        "url": "https://vaadin.com/security/cve-2026-2742"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2446005 vom 2026-03-10",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446005"
      }
    ],
    "source_lang": "en-US",
    "title": "Vaadin: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-10T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-11T09:21:30.922+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0675",
      "initial_release_date": "2026-03-10T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-10T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c14.14.1",
                "product": {
                  "name": "Open Source Vaadin \u003c14.14.1",
                  "product_id": "T051566"
                }
              },
              {
                "category": "product_version",
                "name": "14.14.1",
                "product": {
                  "name": "Open Source Vaadin 14.14.1",
                  "product_id": "T051566-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:14.14.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c23.6.8",
                "product": {
                  "name": "Open Source Vaadin \u003c23.6.8",
                  "product_id": "T051567"
                }
              },
              {
                "category": "product_version",
                "name": "23.6.8",
                "product": {
                  "name": "Open Source Vaadin 23.6.8",
                  "product_id": "T051567-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:23.6.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c24.9.10",
                "product": {
                  "name": "Open Source Vaadin \u003c24.9.10",
                  "product_id": "T051568"
                }
              },
              {
                "category": "product_version",
                "name": "24.9.10",
                "product": {
                  "name": "Open Source Vaadin 24.9.10",
                  "product_id": "T051568-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:24.9.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c25.0.4",
                "product": {
                  "name": "Open Source Vaadin \u003c25.0.4",
                  "product_id": "T051569"
                }
              },
              {
                "category": "product_version",
                "name": "25.0.4",
                "product": {
                  "name": "Open Source Vaadin 25.0.4",
                  "product_id": "T051569-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:25.0.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c23.6.7",
                "product": {
                  "name": "Open Source Vaadin \u003c23.6.7",
                  "product_id": "T051570"
                }
              },
              {
                "category": "product_version",
                "name": "23.6.7",
                "product": {
                  "name": "Open Source Vaadin 23.6.7",
                  "product_id": "T051570-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:23.6.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c24.9.8",
                "product": {
                  "name": "Open Source Vaadin \u003c24.9.8",
                  "product_id": "T051571"
                }
              },
              {
                "category": "product_version",
                "name": "24.9.8",
                "product": {
                  "name": "Open Source Vaadin 24.9.8",
                  "product_id": "T051571-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:24.9.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c25.0.2",
                "product": {
                  "name": "Open Source Vaadin \u003c25.0.2",
                  "product_id": "T051572"
                }
              },
              {
                "category": "product_version",
                "name": "25.0.2",
                "product": {
                  "name": "Open Source Vaadin 25.0.2",
                  "product_id": "T051572-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:25.0.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Vaadin"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-2741",
      "product_status": {
        "known_affected": [
          "T051570",
          "T051571",
          "T051569",
          "T051567",
          "T051568",
          "T051566",
          "T051572"
        ]
      },
      "release_date": "2026-03-10T23:00:00.000+00:00",
      "title": "CVE-2026-2741"
    },
    {
      "cve": "CVE-2026-2742",
      "product_status": {
        "known_affected": [
          "T051570",
          "T051571",
          "T051566",
          "T051572"
        ]
      },
      "release_date": "2026-03-10T23:00:00.000+00:00",
      "title": "CVE-2026-2742"
    }
  ]
}

CVE-2026-2741 (GCVE-0-2026-2741)

Vulnerability from cvelistv5 – Published: 2026-03-10 12:08 – Updated: 2026-03-16 10:52

Title

Zip Slip Path Traversal on Node Unpack

Summary

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory. Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Severity

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

Vaadin

References

6 references

URL	Tags
https://vaadin.com/security/cve-2026-2741
https://github.com/vaadin/flow/pull/23125
https://github.com/vaadin/flow/pull/23131
https://github.com/vaadin/flow/pull/23135
https://github.com/vaadin/flow/pull/23133
https://github.com/vaadin/flow/pull/23130

Impacted products

3 products

Vendor	Product	Version
vaadin	vaadin	Affected: 14.2.0 , ≤ 14.14.0 (maven) Affected: 15.0.0 , ≤ 23.6.6 (maven) Affected: 24.0.0 , ≤ 24.9.8 (maven) Affected: 25.0.0 , ≤ 25.0.2 (maven)
vaadin	flow	Affected: 2.2.0 , ≤ 2.13.0 (maven) Affected: 3.0.0 , ≤ 23.6.7 (maven) Affected: 24.0.0 , ≤ 24.9.9 (maven)
vaadin	flow	Affected: 25.0.0 , ≤ 25.0.3 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2741",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:45:35.148213Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:45:42.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:vaadin",
          "product": "vaadin",
          "repo": "https://github.com/vaadin/platform",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "14.14.0",
              "status": "affected",
              "version": "14.2.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "23.6.6",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.8",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.2",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-server",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "2.13.0",
              "status": "affected",
              "version": "2.2.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "23.6.7",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.9",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-build-tools",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "25.0.3",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003e\u003cp\u003eSpecially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \u003cbr\u003e\u003cbr\u003eVaadin\u2019s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\u003c/p\u003e\n\u003cp\u003eUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e\u003c/span\u003e"
            }
          ],
          "value": "Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \n\nVaadin\u2019s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\n\n\nUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T10:52:34.173Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/cve-2026-2741"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23125"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23131"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23135"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23133"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23130"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Users of affected versions should apply the following mitigation or upgrade."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Zip Slip Path Traversal on Node Unpack",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUse a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin\u0027s automatic Node.js download.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Use a globally preinstalled Node.js that is compatible with the Vaadin version instead of relying on Vaadin\u0027s automatic Node.js download."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2026-2741",
    "datePublished": "2026-03-10T12:08:30.515Z",
    "dateReserved": "2026-02-19T11:59:57.103Z",
    "dateUpdated": "2026-03-16T10:52:34.173Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2742 (GCVE-0-2026-2742)

Vulnerability from cvelistv5 – Published: 2026-03-10 12:08 – Updated: 2026-03-16 10:52

Title

Unauthorized session creation via reserved framework path access

Summary

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

Severity

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-284 - Improper Access Control

Assigner

Vaadin

References

7 references

URL	Tags
https://vaadin.com/security/cve-2026-2742
https://github.com/vaadin/flow/pull/22998
https://github.com/vaadin/flow/pull/23037
https://github.com/vaadin/flow/pull/23057
https://github.com/vaadin/flow/pull/23052
https://github.com/vaadin/flow/pull/23034
https://github.com/vaadin/flow/pull/23033

Impacted products

2 products

Vendor	Product	Version
vaadin	vaadin	Affected: 10.0.0 , ≤ 14.14.0 (maven) Affected: 15.0.0 , ≤ 23.6.6 (maven) Affected: 24.0.0 , ≤ 24.9.7 (maven) Affected: 25.0.0 , ≤ 25.0.1 (maven)
vaadin	flow	Affected: 1.0.0 , ≤ 2.13.0 (maven) Affected: 3.0.0 , ≤ 23.6.7 (maven) Affected: 24.0.0 , ≤ 24.9.7 (maven) Affected: 25.0.0 , < 25.0.1 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2742",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:42:57.456886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:44:47.450Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:vaadin",
          "product": "vaadin",
          "repo": "https://github.com/vaadin/platform",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "14.14.0",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "23.6.6",
              "status": "affected",
              "version": "15.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.7",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "25.0.1",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:flow-server",
          "product": "flow",
          "repo": "https://github.com/vaadin/flow",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "2.13.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "23.6.7",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.7",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThan": "25.0.1",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eAn authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1,\u0026nbsp;applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\u003cbr\u003e\u003cbr\u003eAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\u003cbr\u003e\u003cbr\u003eUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1,\u0026nbsp;23.0.0-23.6.6 to\u0026nbsp;23.6.7,\u0026nbsp;24.0.0 - 24.9.7 to\u0026nbsp;24.9.8, and\u0026nbsp;25.0.0-25.0.1 upgrade to\u0026nbsp;25.0.2 or newer.\u003cbr\u003e\u003cbr\u003ePlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
            }
          ],
          "value": "An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1,\u00a0applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\n\nAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\n\nUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1,\u00a023.0.0-23.6.6 to\u00a023.6.7,\u00a024.0.0 - 24.9.7 to\u00a024.9.8, and\u00a025.0.0-25.0.1 upgrade to\u00a025.0.2 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-554",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-554 Functionality Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T10:52:30.637Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/cve-2026-2742"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/22998"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23037"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23057"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23052"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23034"
        },
        {
          "url": "https://github.com/vaadin/flow/pull/23033"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Users of affected versions should apply the following mitigation or upgrade."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthorized session creation via reserved framework path access",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2026-2742",
    "datePublished": "2026-03-10T12:08:48.738Z",
    "dateReserved": "2026-02-19T12:00:12.056Z",
    "dateUpdated": "2026-03-16T10:52:30.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0675

CVE-2026-2741 (GCVE-0-2026-2741)

CVE-2026-2742 (GCVE-0-2026-2742)

Tags

Sightings

Nomenclature