Spring LDAP 2.4.04.0.3 DirContextAuth bypass of empty password
CVE-2026-41720 Published on June 9, 2026
Authentication Bypass with Empty Password in Spring LDAP
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.
Affected versions:
Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.
Vulnerability Analysis
CVE-2026-41720 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-41720 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2026-41720
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring LDAP:- Version 2.4.0 and below 2.4.5 is affected.
- Version 3.2.0 and below 3.2.18 is affected.
- Version 3.3.0 and below 3.3.8 is affected.
- Version 4.0.0 and below 4.0.4 is affected.