CVE-2026-2742

UNKNOWN 0.0

Unauthorized session creation via reserved framework path access

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

CWE	CWE-284
Vendor	vaadin
Product	vaadin
Published	Mar 10, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for vaadin vaadin

Be the first to know when new unknown vulnerabilities affecting vaadin vaadin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

vaadin / vaadin

10.0.0 ≤ 14.14.0 15.0.0 ≤ 23.6.6 24.0.0 ≤ 24.9.7 25.0.0 ≤ 25.0.1

vaadin / flow

1.0.0 ≤ 2.13.0 3.0.0 ≤ 23.6.7 24.0.0 ≤ 24.9.7 25.0.0 < 25.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vaadin.com: https://vaadin.com/security/cve-2026-2742 github.com: https://github.com/vaadin/flow/pull/22998 github.com: https://github.com/vaadin/flow/pull/23037 github.com: https://github.com/vaadin/flow/pull/23057 github.com: https://github.com/vaadin/flow/pull/23052 github.com: https://github.com/vaadin/flow/pull/23034 github.com: https://github.com/vaadin/flow/pull/23033