Spring Security allows the use of UserDetails attributes such as isEnabled, isAccountNonExpired, or isAccountNonLocked to control user status. The DaoAuthenticationProvider includes a timing attack defense designed to mask differences in authentication responses. However, this defense can be bypassed for users whose accounts are disabled, expired, or locked, revealing their state. The result is a potential information‑disclosure vulnerability that lets an attacker enumerate or confirm the status of specific user accounts without needing valid credentials.

Affected versions include Spring Security 5.7.0 through 5.7.22, 5.8.0 through 5.8.24, 6.3.0 through 6.3.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4. Any application that relies on the standard DaoAuthenticationProvider and incorporates the UserDetails status attributes within these version ranges is potentially impacted.

The CVSS score of 3.7 indicates a low severity risk, and the EPSS score is not available, suggesting limited known exploitation activity. The vulnerability is not listed in CISA KEV. Based on the description, the attack vector appears to rely on exploiting timing differences in authentication responses, which can be performed through routine authentication requests sent to the application. Because the flaw does not require elevated privileges or a code‑execution vector, it may be easier for an attacker to test with automated scanners.