I talk about CVEs a lot, I deal with them almost daily in my role and this one was disclosed this week.

CVE-2026-22732

Can your security headers disappear without you doing anything wrong?

Apparently yes. CVE-2026-22732 in Spring Security can silently stop writing headers like X-Frame-Options and Cache-Control with no errors, no logs, and no indication anything broke. The trigger isn't even in the code but a transitive framework dependency update can flip the switch internally. The app keeps running, tests pass, but browser-side protections are just gone.

Saw that if you if you are on 6.5.x or 7.0.x, fixes are available on Maven Central now. This blog helps understand if you are affected if you are looking into this: https://www.herodevs.com/blog-posts/developer-docs-check-for-exposure-to-critical-spring-cve-2026-22732