CVE-2026-22746 - Vulnerability Details - OpenCVE

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://spring.io/security/cve-2026-22746

History

Wed, 22 Apr 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Title		User Attribute Enumeration when Using DaoAuthenticationProvider
References		https://spring.io/security/cve-2026-22746
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-04-22T05:02:24.327Z

Updated: 2026-04-22T05:02:24.327Z

Reserved: 2026-01-09T06:55:03.990Z

Link: CVE-2026-22746

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T06:16:02.780

Modified: 2026-04-22T06:16:02.780

Link: CVE-2026-22746

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22746", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.990Z", "datePublished": "2026-04-22T05:02:24.327Z", "dateUpdated": "2026-04-22T05:02:24.327Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:02:24.327Z"}, "title": "User Attribute Enumeration when Using DaoAuthenticationProvider", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0", "lessThanOrEqual": "5.7.22", "versionType": "custom"}, {"status": "affected", "version": "5.8.0", "lessThanOrEqual": "5.8.24", "versionType": "custom"}, {"status": "affected", "version": "6.3.0", "lessThanOrEqual": "6.3.15", "versionType": "custom"}, {"status": "unknown", "version": "6.4.0", "lessThanOrEqual": "6.4.15", "versionType": "custom"}, {"status": "affected", "version": "6.5.0", "lessThanOrEqual": "6.5.9", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using the\u00a0UserDetails#isEnabled,\u00a0#isAccountNonExpired, or\u00a0#isAccountNonLocked\u00a0user attributes, to enable, expire, or lock users, then\u00a0DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. If an application is using the <code>UserDetails#isEnabled</code>, <code>#isAccountNonExpired</code>, or <code>#isAccountNonLocked</code> user attributes, to enable, expire, or lock users, then <code>DaoAuthenticationProvider</code>'s timing attack defense can be bypassed for users who are disabled, expired, or locked.<p>This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22746"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"analysis": {"en": {"generated_at": "2026-04-22T07:05:51.525712+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to a non\u2011affected release (e.g., 5.7.23 or later, 5.8.25 or later, 6.3.16 or later, 6.5.10 or later, 7.0.5 or later).", "If immediate upgrade is not possible, enforce uniform authentication failure responses and maintain constant response times to diminish timing side\u2011channel information leakage.", "Review the use of UserDetails isEnabled, isAccountNonExpired, and isAccountNonLocked attributes in authentication logic; consider removing or securing them, or implementing a custom DaoAuthenticationProvider that applies a constant\u2011time check."], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure \u2013 User Attribute Enumeration"}, "threat_synthesis": {"affected_systems": "Affected versions include Spring Security 5.7.0 through 5.7.22, 5.8.0 through 5.8.24, 6.3.0 through 6.3.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4. Any application that relies on the standard DaoAuthenticationProvider and incorporates the UserDetails status attributes within these version ranges is potentially impacted.", "description_and_impact": "Spring Security allows the use of UserDetails attributes such as isEnabled, isAccountNonExpired, or isAccountNonLocked to control user status. The DaoAuthenticationProvider includes a timing attack defense designed to mask differences in authentication responses. However, this defense can be bypassed for users whose accounts are disabled, expired, or locked, revealing their state. The result is a potential information\u2011disclosure vulnerability that lets an attacker enumerate or confirm the status of specific user accounts without needing valid credentials.", "risk_and_exploitability": "The CVSS score of 3.7 indicates a low severity risk, and the EPSS score is not available, suggesting limited known exploitation activity. The vulnerability is not listed in CISA KEV. Based on the description, the attack vector appears to rely on exploiting timing differences in authentication responses, which can be performed through routine authentication requests sent to the application. Because the flaw does not require elevated privileges or a code\u2011execution vector, it may be easier for an attacker to test with automated scanners."}}}}, "created": "2026-04-22T07:15:11.666617+00:00", "updated": "2026-04-22T07:15:11.666627+00:00", "vendors": []}