VYPR
Low severity3.7NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-22746

CVE-2026-22746

Description

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-coreMaven
>= 5.7.0, <= 5.7.22
org.springframework.security:spring-security-coreMaven
>= 5.8.0, <= 5.8.24
org.springframework.security:spring-security-coreMaven
>= 6.3.0, <= 6.3.15
org.springframework.security:spring-security-coreMaven
>= 6.4.0, <= 6.4.15
org.springframework.security:spring-security-coreMaven
>= 6.5.0, < 6.5.106.5.10
org.springframework.security:spring-security-coreMaven
>= 7.0.0, < 7.0.57.0.5

Affected products

21

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.