fix(security): mitigate CVE-2026-22732 — Spring Security HTTP headers not written

[subrata71]

Description

TL;DR: Upgrades Spring Boot from 3.5.11 to 3.5.12 to mitigate CVE-2026-22732 (CVSS 9.1 — Critical), a vulnerability where Spring Security HTTP response headers may not be written under certain conditions.

What is CVE-2026-22732?

Under some conditions, Spring Security fails to write HTTP response headers (such as Cache-Control, Pragma, X-Content-Type-Options) for servlet applications. This can expose applications to:

• Data leakage through browser and proxy caching mechanisms
• Clickjacking due to missing frame-options headers
• XSS via MIME-sniffing due to missing content-type-options headers

Affected versions: Spring Security 6.5.0 – 6.5.8
Fix version: Spring Security 6.5.9
Advisory: https://spring.io/security/cve-2026-22732

Why upgrade Spring Boot instead of just overriding spring-security.version?

Two approaches were evaluated:

Approach	Pros	Cons
Override spring-security.version to 6.5.9	Narrowest change	Creates version skew — Security 6.5.9 was tested with Framework 6.2.17, not 6.2.16. Breaks the BOM compatibility contract.
Upgrade Spring Boot 3.5.11 → 3.5.12	All dependencies tested together by the Spring Boot team. Gets both Security 6.5.9 + Framework 6.2.17.	More transitive dependency changes (all patch-level).

We chose Option B because:

1. Spring Boot 3.5.12 was released on March 19, 2026 — the same day as the CVE disclosure — specifically to address this vulnerability
2. All dependency changes are patch-level bumps within the same minor versions (Reactor 2024.0.15→16, Micrometer 1.15.9→10, etc.)
3. The libraries that changed beyond Spring itself (Kafka, Hibernate, Jetty, Pulsar) are not direct dependencies of the Appsmith server module — zero runtime impact
4. Keeps the BOM's tested-together guarantee intact rather than introducing manual version overrides

Lombok pin

Spring Boot 3.5.12 bumps Lombok from 1.18.42 to 1.18.44. Lombok 1.18.44 introduced a breaking change where @FieldNameConstants generates inner Fields classes with private constructors, which broke the project's pattern of subclassing BaseDomain.Fields across 13 domain classes. The fix pins Lombok back to 1.18.42 via <lombok.version>1.18.42</lombok.version> — the same pattern already used in the project for Jackson and SnakeYAML overrides.

Applicability note

While the CVE advisory specifically states "servlet applications" and Appsmith uses WebFlux (reactive), the vulnerable spring-security-web jar is on the classpath. Upgrading is prudent for compliance, defense-in-depth, and because the reactive header-writing code shares internals with the servlet path.

Changes

• app/server/pom.xml: Bump spring-boot-starter-parent from 3.5.11 → 3.5.12
• app/server/pom.xml: Pin <lombok.version>1.18.42</lombok.version> to avoid @FieldNameConstants breakage

Verification

Check	Result
Spring Security version	6.5.9 (patched)
Spring Framework version	6.2.17 (patched)
Lombok version	1.18.42 (pinned)
Full project build (./build.sh -DskipTests -T 8, 31 modules)	BUILD SUCCESS
Unit tests (reactive-caching, appsmith-interfaces, appsmith-git)	All 68 passed
appsmith-server unit tests (non-Spring-context)	All passed

Fixes https://spring.io/security/cve-2026-22732
Fixes https://linear.app/appsmith/issue/APP-15061/critical-cve-2026-22732-spring-security-http-headers-not-written

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/23677516478
Commit: e2bec36
Cypress dashboard.
Tags: @tag.All
Spec:

---

Sat, 28 Mar 2026 09:31:55 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated Spring Boot parent version to 3.5.12.
  • Added and set Lombok version to 1.18.42 and configured the build to use this Lombok version for compilation.

[coderabbitai]

Walkthrough

Spring Boot parent BOM updated from 3.5.11 to 3.5.12. A new Maven property lombok.version = 1.18.42 was added and used by the compiler plugin's Lombok annotationProcessorPaths.

Changes

Cohort / File(s)	Summary
Maven config app/server/pom.xml	Bumped Spring Boot parent from 3.5.11 → 3.5.12; added lombok.version property set to 1.18.42 and wired it into maven-compiler-plugin annotationProcessorPaths.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🌱 Spring updated, versions align,
Lombok fixed at a tidy line,
Maven hums a steadier tune,
Build-time clarity arriving soon.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly identifies the main change: a security fix for CVE-2026-22732 mitigating Spring Security HTTP header issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description comprehensively addresses the CVE, justifies the upgrade approach, explains the Lombok pin, and documents verification steps.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cve-2026-22732-spring-security-headers

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[linear]

APP-15061 Critical CVE-2026-22732 — Spring Security HTTP headers not written

[coderabbitai]

🧹 Nitpick comments (1)

app/server/pom.xml (1)

33-34: Add a tracked issue reference to the Lombok version pin.

The pin is valid—there are 67+ @FieldNameConstants usages across 30+ Java files using the inner Fields class pattern that triggers the breaking change in 1.18.44. However, without an explicit issue tracker (e.g., TEMP(APP-XXXX)), this constraint may silently block future Lombok upgrades. Consider updating the comment to reference a ticket and document the migration surface required to remove it.

♻️ Suggested tweak

-        <!-- Pin Lombok to 1.18.42 to avoid breaking `@FieldNameConstants` inner class constructor change in 1.18.44 -->
+        <!-- TEMP(APP-XXXX): Pin Lombok to 1.18.42 due `@FieldNameConstants` constructor behavior in 1.18.44.
+             Remove after migrating affected patterns, then return to Spring Boot managed version. -->
         <lombok.version>1.18.42</lombok.version>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/server/pom.xml` around lines 33 - 34, Update the inline comment that pins
lombok.version (the <lombok.version> property) to include a tracked issue ID
(e.g., TEMP(APP-XXXX)) and a short summary of the migration surface (mention the
67+ usages of `@FieldNameConstants` and the inner Fields class change) so future
upgraders know why the pin exists and what must be addressed to remove it;
reference the <lombok.version> property and the `@FieldNameConstants/Fields`
pattern in the comment and link to the ticket for detailed migration steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@app/server/pom.xml`:
- Around line 33-34: Update the inline comment that pins lombok.version (the
<lombok.version> property) to include a tracked issue ID (e.g., TEMP(APP-XXXX))
and a short summary of the migration surface (mention the 67+ usages of
`@FieldNameConstants` and the inner Fields class change) so future upgraders know
why the pin exists and what must be addressed to remove it; reference the
<lombok.version> property and the `@FieldNameConstants/Fields` pattern in the
comment and link to the ticket for detailed migration steps.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f9a23d79-4049-4b98-9fd3-1b8bffa1c412

📥 Commits

Reviewing files that changed from the base of the PR and between b47d782 and 1a2f84f.

📒 Files selected for processing (1)

• app/server/pom.xml

[subrata71]

Proof that the CVE has been resolved: I created a DP in the shadow EE PR, and the Docker Scout results confirm the fix. Previously, there were three CRITICAL CVEs; this has now been reduced to two.