How to Fix Broken Object Property Level Authorization in Spring Boot March 2026 [CVE-2022-23726]

In CVE-2022-23726, PingCentral versions prior to patched releases exposed Spring Boot actuator endpoints that, when accessed with administrative authentication, returned large amounts of sensitive environmental and application information. This is a concrete instance of a Broken Object Property Level Authorization vulnerability where an endpoint intended for management data exposes nested configuration details that should be restricted. The issue maps to CWE-200 (Information Disclosure) and CWE-732 (Insecure Permission Assignment) as referenced in the CVE. In real deployments, an administrator with access to /actuator/env, /actuator/configprops, or /actuator/beans could harvest secrets such as environment variables, JDBC URLs, and other configuration data, enabling further reconnaissance or compromise. Misconfigurations around actuator exposure and insufficient authorization checks on management endpoints enable this leakage in Spring Boot-based services. Upgrading PingCentral to patched versions that ship with properly hardened actuator defaults mitigates this risk and prevents unintended data disclosure through management endpoints. This class of vulnerability illustrates the danger of object-level data being returned by endpoints without proper authorization filters. Even with authentication in place, the returned data structures may contain sensitive nested properties that should be protected from general administrative access. Applying strict endpoint exposure controls, disabling verbose configuration endpoints, and enforcing role-based access to actuator resources are essential defenses in Spring Boot environments. Remediation requires both component upgrades and configuration hardening. By combining a minimal exposure set for actuator endpoints, explicit RBAC rules for /actuator/**, and disabling or filtering sensitive endpoints (env, configprops, beans), you can greatly reduce the risk of information leakage. The recommended approach is to upgrade PingCentral to the patched release, then apply Spring Boot hardening patterns described below to ensure that only intended data is exposed to authorized users. In practice, developers should implement explicit access controls, review actuator endpoint exposure, and validate that property-level data cannot be retrieved by unauthorized roles. The fix should be validated with security testing that attempts to enumerate environment/config properties with normal admin credentials to confirm there is no unintended data exposure.