View all Vulnerabilities

CVE-2026-22746

Authorization Bypass
Affects
Spring Security
in
Spring
No items found.
Versions
4.2.x; 5.5.x; 5.7.x; 5.8.x; 6.2.x; 6.3.x; 6.4.x; 6.5.x; 7.0.x
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Vulnerability in Spring Security. If an application is using the UserDetails#isEnabled#isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.

Details

Module Info

Vulnerability Info

Vulnerability in Spring Security. If an application is using the UserDetails#isEnabled#isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions have no publicly available fixes for this vulnerability.Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Steps To Reproduce

  1. Set up the affected environment: Deploy an application using Spring Security with one of the affected versions. Ensure that the application is configured to utilize the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked attributes for user authentication.
  2. Create user accounts: Set up multiple user accounts with varying states: one enabled, one disabled, one expired, and one locked. Ensure that the user details are correctly configured to reflect these states.
  3. Trigger authentication requests: Attempt to authenticate using the credentials of the disabled, expired, and locked user accounts. Monitor the response times for each authentication attempt to observe any discrepancies.
  4. Analyze response times: Document the response times for each authentication attempt. A significant difference in response times when authenticating against disabled, expired, or locked accounts may indicate a successful timing attack vulnerability.
  5. Upgrade Spring Security: Apply the appropriate fix for your version of Spring Security as per the advisory
  6. Re-test authentication requests: After upgrading, repeat the authentication attempts for the disabled, expired, and locked user accounts.
  7. Verify remediation: Confirm that the response times for all authentication attempts are consistent and do not exhibit significant differences, indicating that the timing attack vulnerability has been effectively mitigated.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-22746
PROJECT Affected
Spring Security
Versions Affected
4.2.x; 5.5.x; 5.7.x; 5.8.x; 6.2.x; 6.3.x; 6.4.x; 6.5.x; 7.0.x
NES Versions Affected
4.2.x; 5.5.x; 5.7.x; 5.8.x; 6.2.x; 6.3.x; 6.4.x
Published date
April 21, 2026
≈ Fix date
April 21, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.