Skip to main content

Observable Timing Discrepancy in org.springframework.security:spring-security-core

CVE-2026-22746

  • org.springframework.security:spring-security-core
Severity Low
Score 3.7/10

Summary

Vulnerability in Spring Spring Security. If an application is using theUserDetails#isEnabled,#isAccountNonExpired, or#isAccountNonLockeduser attributes, to enable, expire, or lock users, thenDaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

  • HIGH
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-208 - Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Advisory Timeline

  • Published