Timing Attack Bypass Vulnerability in Spring Security Products
CVE-2026-22746

3.7LOW

Key Information:

Vendor: Spring
Status: Spring Security
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-22746?

A vulnerability in Spring Security allows attackers to bypass the timing attack defenses associated with user attributes like UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked. This issue can lead to unauthorized access for users marked as disabled, expired, or locked, potentially exposing sensitive application functionalities. Applications utilizing these user attributes between specified versions of Spring Security are at risk and should be updated to mitigate this vulnerability.

Affected Version(s)

Spring Security 5.7.0 <= 5.7.22

Spring Security 5.8.0 <= 5.8.24

Spring Security 6.3.0 <= 6.3.15

References

https://spring.io/security/cve-2026-22746

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2026-22746 Data

JSON