Spring Security 5.7-7.0 DAO Auth Timing Attack Bypass via Disabled/Locked
CVE-2026-22746 Published on April 22, 2026
User Attribute Enumeration when Using DaoAuthenticationProvider
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Vulnerability Analysis
CVE-2026-22746 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Products Associated with CVE-2026-22746
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Security:- Version 5.7.0, <= 5.7.22 is affected.
- Version 5.8.0, <= 5.8.24 is affected.
- Version 6.3.0, <= 6.3.15 is affected.
- Version 6.4.0, <= 6.4.15 is unknown.
- Version 6.5.0, <= 6.5.9 is affected.
- Version 7.0.0, <= 7.0.4 is affected.