{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "15.0.0"
              },
              {
                "last_affected": "23.6.6"
              },
              {
                "introduced": "24.0.0"
              },
              {
                "last_affected": "24.9.7"
              },
              {
                "introduced": "25.0.0"
              },
              {
                "last_affected": "25.0.1"
              },
              {
                "fixed": "25.0.1"
              },
              {
                "introduced": "1.0.0"
              },
              {
                "last_affected": "2.13.0"
              },
              {
                "introduced": "3.0.0"
              },
              {
                "last_affected": "23.6.7"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "introduced": "f5bd08834302a4f461b920dea6d0be8808e88a50"
            },
            {
              "introduced": "d3e5f6448dd0563cd62137836ea4fd5be69c9067"
            },
            {
              "fixed": "dc64bafff1d2bf12e73ce433941c484b8d123d53"
            },
            {
              "introduced": "3cd0c02025aba6de6fd78a8ea65c67483a721b4e"
            },
            {
              "introduced": "4b6ca4330163c4e976b32d03880fe2154a9d1ca7"
            }
          ],
          "repo": "https://github.com/vaadin/flow",
          "type": "GIT"
        },
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "10.0.0"
              },
              {
                "fixed": "14.14.1"
              },
              {
                "introduced": "15.0.0"
              },
              {
                "fixed": "23.6.7"
              },
              {
                "introduced": "24.0.0"
              },
              {
                "fixed": "24.9.8"
              },
              {
                "introduced": "25.0.0"
              },
              {
                "fixed": "25.0.2"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "8e1b5f1a3f9bb984108d172f19d4d2df4a1987f5"
            },
            {
              "fixed": "ecdbd581aa8f05d30390b791c53a3d61a25fda3c"
            },
            {
              "introduced": "354ad0186b5e61b548adad84de03af297dc6f2a6"
            },
            {
              "fixed": "e576f406b9f7f28cc7df549145e7983cd4efb25c"
            },
            {
              "introduced": "6aea8fa5fdf6b2c7645a54e1bc38978ee40b26df"
            },
            {
              "fixed": "e4a10d57d219a197451591c596fe19334ba7ddb1"
            },
            {
              "introduced": "f7582b4be60fe9100489237bb8b022783a288766"
            },
            {
              "fixed": "e5c34fb3b0b6606502ccd91a25514f44b1672859"
            }
          ],
          "repo": "https://github.com/vaadin/platform",
          "type": "GIT"
        },
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "10.0.0"
              },
              {
                "fixed": "14.14.1"
              },
              {
                "introduced": "15.0.0"
              },
              {
                "fixed": "23.6.7"
              },
              {
                "introduced": "24.0.0"
              },
              {
                "fixed": "24.9.8"
              },
              {
                "introduced": "25.0.0"
              },
              {
                "fixed": "25.0.2"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "7ac406600a3c1a228e15ba253fe844f7e13771a0"
            },
            {
              "fixed": "2fb28ea68d4354625468e8d53dd87e892e466057"
            },
            {
              "introduced": "9efda1b1e0a27769eef9292dd7799d8fea77e633"
            },
            {
              "fixed": "220a7e475d06b7442c8f6f45ce4b08c78f19e828"
            },
            {
              "introduced": "a45cc881358732b3d594b20750f1369a65d7237a"
            },
            {
              "fixed": "a3ea95049825d8510cdb110cb9e6a663182e084b"
            },
            {
              "introduced": "1bbe0e9e6b57f11d3fbb7b58810f72fbf106ef43"
            },
            {
              "fixed": "321adece24930836170106a4b719a3c5c55a2362"
            }
          ],
          "repo": "https://github.com/vaadin/vaadin",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Vaadin",
    "cwe_ids": [
      "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2742.json"
  },
  "details": "An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.\n\nAccessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.\n\nUsers of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.",
  "id": "CVE-2026-2742",
  "modified": "2026-07-08T05:39:08.173671893Z",
  "published": "2026-03-10T12:08:48.738Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://repo.maven.apache.org/maven2"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2026-2742"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2742.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2742"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vaadin/flow/pull/22998"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vaadin/flow/pull/23033"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vaadin/flow/pull/23034"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vaadin/flow/pull/23037"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vaadin/flow/pull/23052"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vaadin/flow/pull/23057"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/flow"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/platform"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthorized session creation via reserved framework path access"
}