CVE-2026-41720

Vulnerability

Spring LDAP's DirContextAuthenticationStrategy implementations fail to reject bind requests where a non-empty username is provided with an empty or null password. This issue affects Spring LDAP versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3. The vulnerability arises because RFC 4513 Section 5.1.2 defines such a bind as unauthenticated [1].

Exploitation

An attacker can exploit this vulnerability by providing a valid username along with an empty or null password in a bind request. This is possible if the underlying LDAP server permits unauthenticated binds. The vulnerability affects authentications performed through AbstractContextSource, LdapTemplate, and LdapClient [1].

Impact

On LDAP servers that permit unauthenticated binds, a successful exploitation allows an attacker to bypass password verification and gain authenticated access. This can lead to unauthorized access to sensitive information or resources that are protected by LDAP authentication, potentially resulting in information disclosure and unauthorized system access [1].

Mitigation

Users of affected Spring LDAP versions should upgrade to the following fixed versions: 2.4.5 (Enterprise Support Only), 3.2.18 (Enterprise Support Only), 3.3.8 (OSS), or 4.0.4 (OSS). Unsupported versions are also affected. No further mitigation steps are necessary beyond upgrading [1].