Main Vulnerability Database Vulnerabilities #VU128224

Observable discrepancy in Spring Security - CVE-2026-22746

Published: April 27, 2026

Vulnerability identifier: #VU128224

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22746

CWE-ID: CWE-203

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: VMware, Inc

Affected software:
Spring Security

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing discrepancies in DaoAuthenticationProvider when processing authentication requests for disabled, expired, or locked users. A remote attacker can send authentication attempts for different usernames to disclose sensitive information.

The issue is exposed when applications rely on the UserDetails isEnabled, isAccountNonExpired, or isAccountNonLocked attributes to enable, expire, or lock users.

How to mitigate CVE-2026-22746

Install security update from vendor's website.

Sources

https://spring.io/security/cve-2026-22746

Observable discrepancy in Spring Security - CVE-2026-22746

Detailed vulnerability description

How to mitigate CVE-2026-22746

Sources

Please verify you're human