CVE-2026-22746: Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

April 22, 2026 (updated April 29, 2026)

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider’s timing attack defense can be bypassed for users who are disabled, expired, or locked. This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

References

github.com/advisories/GHSA-vxf7-qj7q-83fh
github.com/spring-projects/spring-security
nvd.nist.gov/vuln/detail/CVE-2026-22746
spring.io/security/cve-2026-22746

Code Behaviors & Features

Detect and mitigate CVE-2026-22746 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →