Executive Summary

CVE-2026-41720 is an authentication bypass vulnerability in Spring LDAP. The issue occurs because the DirContextAuthenticationStrategy implementations do not reject bind requests where a non-empty username is paired with an empty or null password.

According to RFC 4513 Section 5.1.2, such a bind is considered unauthenticated. However, if the LDAP server permits these binds, an attacker could exploit this by providing a valid username with an empty password to bypass authentication.

This vulnerability affects Spring LDAP versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass authentication by submitting a valid username with an empty or null password, effectively gaining unauthorized access.

Such unauthorized access could lead to compromise of sensitive data or systems that rely on Spring LDAP for authentication.

The vulnerability impacts authentications performed via AbstractContextSource, LdapTemplate, and LdapClient, increasing the risk of unauthorized access in applications using these components.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Spring LDAP's DirContextAuthenticationStrategy implementations accepting bind requests with a non-empty username but an empty or null password, which is an authentication bypass.

To detect this vulnerability on your system or network, you can monitor LDAP bind requests and check for any authentication attempts where the username is non-empty but the password is empty or null.

Specifically, you can analyze LDAP server logs for such bind attempts or use network packet capture tools to inspect LDAP bind requests.

• Use tcpdump or Wireshark to capture LDAP traffic and filter for bind requests with empty passwords.
• Example tcpdump command: tcpdump -i <interface> -s 0 -w ldap_capture.pcap port 389
• Then analyze ldap_capture.pcap in Wireshark, filtering for LDAP Bind Requests and checking the password field.
• Alternatively, review LDAP server logs for bind attempts with empty or null passwords paired with non-empty usernames.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation step is to upgrade Spring LDAP to a fixed version.

• Upgrade to Spring LDAP version 2.4.5 (Enterprise Support Only), 3.2.18 (Enterprise Support Only), 3.3.8 (OSS), or 4.0.4 (OSS) or later.

No additional mitigation steps are required after upgrading.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authentication bypass by accepting bind requests with a non-empty username and an empty or null password, potentially enabling unauthorized access.

Such unauthorized access could lead to exposure or misuse of sensitive personal or protected health information, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strong authentication controls to protect data confidentiality and integrity.

Therefore, if exploited, this vulnerability could negatively impact an organization's ability to comply with these regulations by undermining authentication mechanisms.

Upgrading to fixed versions of Spring LDAP is necessary to remediate this issue and maintain compliance.

Useful 0 Not Useful 0