CVE-2026-22746 | THREATINT

Description

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

PUBLISHED Reserved 2026-01-09 | Published 2026-04-22 | Updated 2026-04-22 | Assigner vmware

LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Product status

Default status

unaffected

5.7.0 (custom)

affected

5.8.0 (custom)

affected

6.3.0 (custom)

affected

6.4.0 (custom)

unknown

6.5.0 (custom)

affected

7.0.0 (custom)

affected

References

spring.io/security/cve-2026-22746

cve.org (CVE-2026-22746)

nvd.nist.gov (CVE-2026-22746)

Download JSON