CVE-2026-22746
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Vendor
-
Product
-
CWE
-
Yayın Tarihi
2026-04-22 06:16:02
Güncelleme
2026-04-22 06:16:02
Source Identifier
security@vmware.com
KEV Date Added
-