Plataforma
java
Componente
spring-security
Corrigido em
5.7.23
5.8.25
6.3.16
6.4.16
6.5.10
7.0.5
CVE-2026-22746 is a security vulnerability affecting Spring Security, specifically related to timing attacks when using user attribute checks (isEnabled, isAccountNonExpired, isAccountNonLocked). An attacker can bypass the timing attack defense mechanism designed to protect against credential stuffing and brute-force attacks for users who are disabled, expired, or locked. This vulnerability impacts versions 5.7.0 through 7.0.4 and requires immediate attention to prevent unauthorized access.
The primary impact of CVE-2026-22746 is the potential for unauthorized access to user accounts. Attackers can exploit this vulnerability to bypass the timing attack defense mechanism, allowing them to more easily guess valid credentials for disabled, expired, or locked accounts. This bypass significantly reduces the effectiveness of security measures intended to mitigate credential stuffing and brute-force attacks. While the CVSS score is LOW, the potential for widespread credential stuffing attacks targeting applications using Spring Security makes this a significant concern. The vulnerability's impact is amplified in environments where user accounts are frequently disabled, expired, or locked as part of security policies.
CVE-2026-22746 was publicly disclosed on April 22, 2026. While no public proof-of-concept (PoC) has been released, the nature of the vulnerability – a timing attack bypass – makes it likely that PoCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the widespread use of Spring Security and the relatively straightforward nature of timing attacks, there is a moderate probability of exploitation.
Applications using Spring Security versions 5.7.0–7.0.4 that rely on the UserDetails#isEnabled, UserDetails#isAccountNonExpired, or UserDetails#isAccountNonLocked attributes for authentication are at risk. This includes applications with robust account lifecycle management policies that frequently disable, expire, or lock user accounts. Shared hosting environments utilizing Spring Security are also particularly vulnerable due to the potential for cross-tenant attacks.
• java / server: Monitor application logs for unusual authentication patterns, particularly failed login attempts targeting disabled or locked accounts. Use a security information and event management (SIEM) system to correlate authentication events with other security indicators. • generic web: Examine web server access logs for repeated login attempts from the same IP address targeting user accounts with specific attributes (disabled, expired, locked). Look for patterns indicative of credential stuffing.
grep 'authentication failure' /var/log/apache2/error.log | grep 'disabled|expired|locked'disclosure
Status do Exploit
EPSS
0.05% (percentil 17%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-22746 is to upgrade to a patched version of Spring Security. Versions 5.7.23+, 5.8.25+, 6.3.16+, 6.5.10+, and 7.0.5+ address this vulnerability. If upgrading immediately is not feasible, consider implementing stricter authentication logic to avoid relying solely on the vulnerable user attribute checks. This could involve implementing multi-factor authentication (MFA) or other stronger authentication methods. Review and harden authentication policies to minimize the reliance on these attributes. Monitor authentication logs for suspicious activity, particularly failed login attempts targeting disabled or locked accounts.
Atualize Spring Security para a versão 5.7.23 ou superior, 5.8.25 ou superior, 6.3.16 ou superior, 6.4.16 ou superior, 6.5.10 ou superior, ou 7.0.5 ou superior. Esta atualização corrige uma vulnerabilidade de ataque de tempo (timing attack) que permite contornar as defesas de DaoAuthenticationProvider quando atributos de usuário como isEnabled, isAccountNonExpired ou isAccountNonLocked são utilizados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-22746 is a LOW severity vulnerability in Spring Security allowing attackers to bypass timing attack defenses for disabled, expired, or locked user accounts, potentially leading to unauthorized access.
You are affected if your application uses Spring Security versions 5.7.0–7.0.4 and relies on isEnabled, isAccountNonExpired, or isAccountNonLocked attributes for authentication.
Upgrade to a patched version of Spring Security: 5.7.23+, 5.8.25+, 6.3.16+, 6.5.10+, or 7.0.5+.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts may occur.
Refer to the Spring Security project's official security advisories for detailed information and updates: [https://security.spring.io/](https://security.spring.io/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.