CVE-2026-22746
Received Received - Intake
Timing Attack Bypass in Spring Security User Account Checks

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: VMware

Description
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22746
EUVD
EUVD-2026-24607
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
vmware spring_security From 5.8.0 (inc) to 5.8.25 (exc)
vmware spring_security From 6.3.0 (inc) to 6.3.16 (exc)
vmware spring_security From 6.4.0 (inc) to 6.4.16 (exc)
vmware spring_security From 6.5.0 (inc) to 6.5.10 (exc)
vmware spring_security From 7.0.0 (inc) to 7.0.5 (exc)
vmware spring_security to 5.7.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Spring Security versions from 5.7.0 through 7.0.4. It occurs when an application uses certain user attributes—UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked—to manage user states such as enabling, expiring, or locking accounts.

In these cases, the timing attack defense implemented by DaoAuthenticationProvider can be bypassed for users who are disabled, expired, or locked. This allows an attacker to enumerate user attributes by measuring timing differences during authentication.

The vulnerability is considered low severity with a CVSS score of 3.7 and requires network access with high attack complexity but no privileges or user interaction.

Detection Guidance

This vulnerability affects specific versions of Spring Security when applications use the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked. Detection involves identifying if your system is running one of the affected Spring Security versions.

You can detect the presence of vulnerable Spring Security versions by checking the version of the Spring Security library used in your application dependencies.

For example, if you have access to the application environment, you can run commands to check the Spring Security version in use.

  • For Maven-based projects, run: mvn dependency:list | grep spring-security
  • For Gradle-based projects, run: ./gradlew dependencies | grep spring-security
  • If you have access to the deployed application JAR/WAR, you can inspect the MANIFEST.MF or use tools like unzip and grep to find the Spring Security version.

Network detection of this vulnerability through timing attack patterns is complex and not directly described in the provided resources. The primary detection method is verifying the Spring Security version and usage of the vulnerable user attributes.

Impact Analysis

This vulnerability can allow an attacker to perform user attribute enumeration by exploiting timing differences in authentication responses for disabled, expired, or locked users.

While it does not directly impact integrity or availability, it can lead to information disclosure about user account states, which could be leveraged in further attacks or reconnaissance.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Spring Security to one of the fixed versions: 5.7.23 (Enterprise Support Only), 5.8.25 (Enterprise Support Only), 6.3.16 (Enterprise Support Only), 6.4.16 (Enterprise Support Only), 6.5.10 (Open Source Software), or 7.0.5 (Open Source Software).

If upgrading causes issues, you can use the new setter method DaoAuthenticationProvider#setAlwaysPerformAdditionalChecksOnUser and set it to false as a temporary workaround.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart