Security Advisory

CVE-2026-22746

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-22 05:02:24

Last updated 2026-04-22 13:36:42

Assigner vmware

State PUBLISHED

Description

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProviders timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

← Browse all CVEs View on cve.org ↗