Description
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Published: 2026-04-22
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure – User Attribute Enumeration
Action: Patch Immediately
AI Analysis

Impact

Spring Security allows the use of UserDetails attributes such as isEnabled, isAccountNonExpired, or isAccountNonLocked to control user status. The DaoAuthenticationProvider includes a timing attack defense designed to mask differences in authentication responses. However, this defense can be bypassed for users whose accounts are disabled, expired, or locked, revealing their state. The result is a potential information‑disclosure vulnerability that lets an attacker enumerate or confirm the status of specific user accounts without needing valid credentials.

Affected Systems

Affected versions include Spring Security 5.7.0 through 5.7.22, 5.8.0 through 5.8.24, 6.3.0 through 6.3.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4. Any application that relies on the standard DaoAuthenticationProvider and incorporates the UserDetails status attributes within these version ranges is potentially impacted.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity risk, and the EPSS score of < 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, the attack vector appears to rely on exploiting timing differences in authentication responses, which can be performed through routine authentication requests sent to the application. Because the flaw does not require elevated privileges or a code‑execution vector, it may be easier for an attacker to test with automated scanners.

Generated by OpenCVE AI on April 27, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Security to a non‑affected release (e.g., 5.7.23 or later, 5.8.25 or later, 6.3.16 or later, 6.5.10 or later, 7.0.5 or later).
  • If immediate upgrade is not possible, enforce uniform authentication failure responses and maintain constant response times to diminish timing side‑channel information leakage.
  • Review the use of UserDetails isEnabled, isAccountNonExpired, and isAccountNonLocked attributes in authentication logic; consider removing or securing them, or implementing a custom DaoAuthenticationProvider that applies a constant‑time check.

Generated by OpenCVE AI on April 27, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vxf7-qj7q-83fh Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
History

Sat, 25 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 24 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Security
CPEs cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Security

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-208
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Security
Vendors & Products Spring
Spring spring Security

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Title User Attribute Enumeration when Using DaoAuthenticationProvider
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Spring Spring Security
Vmware Spring Security
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-22T13:36:42.801Z

Reserved: 2026-01-09T06:55:03.990Z

Link: CVE-2026-22746

cve-icon Vulnrichment

Updated: 2026-04-22T13:36:25.578Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T06:16:02.780

Modified: 2026-04-24T14:20:02.473

Link: CVE-2026-22746

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-22T05:02:24Z

Links: CVE-2026-22746 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:30:12Z

Weaknesses