What is CVE-2026-22746?

CVE-2026-22746 is a low-severity vulnerability in Spring Security. CVSS score: 3.7/10. Published 2026-04-22.

How severe is CVE-2026-22746?

Low severity. CVSS v3 base score is 3.7 out of 10.

Vulnerability in Spring Security

CVE-2026-22746

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack d…

EPSS: 0.001 (20.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Spring Security — versions 5.7.0, 5.8.0, 6.3.0

References

spring.io/security/cve-2026-22746

Frequently asked questions

What is CVE-2026-22746?: CVE-2026-22746 is a low-severity vulnerability in Spring Security. CVSS score: 3.7/10. Published 2026-04-22.
How severe is CVE-2026-22746?: Low severity. CVSS v3 base score is 3.7 out of 10.