{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22746", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.990Z", "datePublished": "2026-04-22T05:02:24.327Z", "dateUpdated": "2026-04-22T05:02:24.327Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-22T05:02:24.327Z"}, "title": "User Attribute Enumeration when Using DaoAuthenticationProvider", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.0", "lessThanOrEqual": "5.7.22", "versionType": "custom"}, {"status": "affected", "version": "5.8.0", "lessThanOrEqual": "5.8.24", "versionType": "custom"}, {"status": "affected", "version": "6.3.0", "lessThanOrEqual": "6.3.15", "versionType": "custom"}, {"status": "unknown", "version": "6.4.0", "lessThanOrEqual": "6.4.15", "versionType": "custom"}, {"status": "affected", "version": "6.5.0", "lessThanOrEqual": "6.5.9", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using the\u00a0UserDetails#isEnabled,\u00a0#isAccountNonExpired, or\u00a0#isAccountNonLocked\u00a0user attributes, to enable, expire, or lock users, then\u00a0DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. If an application is using the&nbsp;<code>UserDetails#isEnabled</code>,&nbsp;<code>#isAccountNonExpired</code>, or&nbsp;<code>#isAccountNonLocked</code>&nbsp;user attributes, to enable, expire, or lock users, then&nbsp;<code>DaoAuthenticationProvider</code>'s timing attack defense can be bypassed for users who are disabled, expired, or locked.<p>This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22746"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. If an application is using the\u00a0UserDetails#isEnabled,\u00a0#isAccountNonExpired, or\u00a0#isAccountNonLocked\u00a0user attributes, to enable, expire, or lock users, then\u00a0DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22746", "lastModified": "2026-04-22T06:16:02.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-22T06:16:02.780", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22746"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T07:05:51.525712+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to a non\u2011affected release (e.g., 5.7.23 or later, 5.8.25 or later, 6.3.16 or later, 6.5.10 or later, 7.0.5 or later).", "If immediate upgrade is not possible, enforce uniform authentication failure responses and maintain constant response times to diminish timing side\u2011channel information leakage.", "Review the use of UserDetails isEnabled, isAccountNonExpired, and isAccountNonLocked attributes in authentication logic; consider removing or securing them, or implementing a custom DaoAuthenticationProvider that applies a constant\u2011time check."], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure \u2013 User Attribute Enumeration"}, "threat_synthesis": {"affected_systems": "Affected versions include Spring Security 5.7.0 through 5.7.22, 5.8.0 through 5.8.24, 6.3.0 through 6.3.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4. Any application that relies on the standard DaoAuthenticationProvider and incorporates the UserDetails status attributes within these version ranges is potentially impacted.", "description_and_impact": "Spring Security allows the use of UserDetails attributes such as isEnabled, isAccountNonExpired, or isAccountNonLocked to control user status. The DaoAuthenticationProvider includes a timing attack defense designed to mask differences in authentication responses. However, this defense can be bypassed for users whose accounts are disabled, expired, or locked, revealing their state. The result is a potential information\u2011disclosure vulnerability that lets an attacker enumerate or confirm the status of specific user accounts without needing valid credentials.", "risk_and_exploitability": "The CVSS score of 3.7 indicates a low severity risk, and the EPSS score is not available, suggesting limited known exploitation activity. The vulnerability is not listed in CISA KEV. Based on the description, the attack vector appears to rely on exploiting timing differences in authentication responses, which can be performed through routine authentication requests sent to the application. Because the flaw does not require elevated privileges or a code\u2011execution vector, it may be easier for an attacker to test with automated scanners."}}}}, "created": "2026-04-22T07:15:11.666617+00:00", "updated": "2026-04-22T07:15:11.666627+00:00", "vendors": []}