Spring LDAP's DirContextAuthenticationStrategy implementations allow a credential bind request that supplies a non‑empty user identifier but an empty or null password to succeed, effectively bypassing authentication. The vulnerability constitutes improper authentication (CWE‑287) and can lead to unauthorized access to LDAP data and services, potentially exposing sensitive directory information. Since the flaw exists in the authentication layer, the impact is confined to applications using Spring LDAP and does not affect the underlying LDAP server beyond the binding operation.

Affected vendors and products include Spring's Spring LDAP library, versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3. Applications that rely on these specific releases and construct authentication strategies without additional password validation are potentially vulnerable. The flaw does not affect other Spring projects that do not use the DirContextAuthenticationStrategy.

The CVSS score of 7.4 highlights a high severity level, and while the EPSS score is not currently available, current estimates suggest a low exploitation likelihood. The vulnerability is not listed in the CISA KEV catalogue, which indicates no public knowledge of active exploitation at the time of this assessment. Attackers would need network or application access capable of sending a bind request with a valid username and an empty password, which is a relatively low‑barrier attack but still requires the target to allow LDAP bind operations from that source.