Main Vulnerability Database Vulnerabilities #VU128224

Observable discrepancy in Spring Security - CVE-2026-22746

Published: April 27, 2026

Vulnerability identifier: #VU128224

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22746

CWE-ID: CWE-203

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Spring Security

Software vendor:
VMware, Inc

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing discrepancies in DaoAuthenticationProvider when processing authentication requests for disabled, expired, or locked users. A remote attacker can send authentication attempts for different usernames to disclose sensitive information.

The issue is exposed when applications rely on the UserDetails isEnabled, isAccountNonExpired, or isAccountNonLocked attributes to enable, expire, or lock users.

Remediation

Install security update from vendor's website.

External links

https://spring.io/security/cve-2026-22746

Observable discrepancy in Spring Security - CVE-2026-22746

Description

Remediation

External links

Please verify you're human