CVE-2026-22746
Timing Attack Bypass in Spring Security User Account Checks
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_security | From 5.8.0 (inc) to 5.8.25 (exc) |
| vmware | spring_security | From 6.3.0 (inc) to 6.3.16 (exc) |
| vmware | spring_security | From 6.4.0 (inc) to 6.4.16 (exc) |
| vmware | spring_security | From 6.5.0 (inc) to 6.5.10 (exc) |
| vmware | spring_security | From 7.0.0 (inc) to 7.0.5 (exc) |
| vmware | spring_security | to 5.7.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Spring Security versions from 5.7.0 through 7.0.4. It occurs when an application uses certain user attributes—UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked—to manage user states such as enabling, expiring, or locking accounts.
In these cases, the timing attack defense implemented by DaoAuthenticationProvider can be bypassed for users who are disabled, expired, or locked. This allows an attacker to enumerate user attributes by measuring timing differences during authentication.
The vulnerability is considered low severity with a CVSS score of 3.7 and requires network access with high attack complexity but no privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform user attribute enumeration by exploiting timing differences in authentication responses for disabled, expired, or locked users.
While it does not directly impact integrity or availability, it can lead to information disclosure about user account states, which could be leveraged in further attacks or reconnaissance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Spring Security to one of the fixed versions: 5.7.23 (Enterprise Support Only), 5.8.25 (Enterprise Support Only), 6.3.16 (Enterprise Support Only), 6.4.16 (Enterprise Support Only), 6.5.10 (Open Source Software), or 7.0.5 (Open Source Software).
If upgrading causes issues, you can use the new setter method DaoAuthenticationProvider#setAlwaysPerformAdditionalChecksOnUser and set it to false as a temporary workaround.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of Spring Security when applications use the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked. Detection involves identifying if your system is running one of the affected Spring Security versions.
You can detect the presence of vulnerable Spring Security versions by checking the version of the Spring Security library used in your application dependencies.
For example, if you have access to the application environment, you can run commands to check the Spring Security version in use.
- For Maven-based projects, run: mvn dependency:list | grep spring-security
- For Gradle-based projects, run: ./gradlew dependencies | grep spring-security
- If you have access to the deployed application JAR/WAR, you can inspect the MANIFEST.MF or use tools like unzip and grep to find the Spring Security version.
Network detection of this vulnerability through timing attack patterns is complex and not directly described in the provided resources. The primary detection method is verifying the Spring Security version and usage of the vulnerable user attributes.