Main Vulnerability Database SB2026061628

SB2026061628 - MongoDB Enterprise Advanced with IBM update for Spring Spring Security

Published: June 16, 2026

Security Bulletin ID SB2026061628

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Observable discrepancy (CVE-ID: CVE-2026-22746)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing discrepancies in DaoAuthenticationProvider when processing authentication requests for disabled, expired, or locked users. A remote attacker can send authentication attempts for different usernames to disclose sensitive information.

The issue is exposed when applications rely on the UserDetails isEnabled, isAccountNonExpired, or isAccountNonLocked attributes to enable, expire, or lock users.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7276468