Skip to main content

Spring LDAP CVE-2026-41720

| EUVD-2026-35324 HIGH
Improper Authentication (CWE-287)
2026-06-09 vmware GHSA-jrv5-8w28-4265
Authentication Bypass Java
7.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:09 vuln.today

DescriptionNVD

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.

Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.

Articles & Coverage 1

News 9 New Java Vulnerabilities - 1 Critical, 8 High Severity Jun 10, 2026

AnalysisAI

Authentication bypass in Spring LDAP's DirContextAuthenticationStrategy allows remote unauthenticated attackers to succeed at LDAP bind operations by supplying any non-empty username paired with an empty or null password, due to the framework failing to reject such anonymous-equivalent bind requests. Affected releases span Spring LDAP 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, and 4.0.0-4.0.3, putting Java applications that delegate authentication to these libraries at risk of impersonating arbitrary users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Spring LDAP-backed login endpoint
Delivery
Enumerate valid usernames or DNs
Exploit
Submit username with empty password
Execution
DirContextAuthenticationStrategy issues anonymous bind
Persist
Directory server returns bind success
Impact
Application grants authenticated session as target user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses one of the vulnerable Spring LDAP versions (2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, or 4.0.0-4.0.3) and invokes a DirContextAuthenticationStrategy implementation as its authentication mechanism, treating a non-exception bind return as proof of valid credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects network-reachable, unauthenticated abuse yielding high confidentiality and integrity impact, with high attack complexity reflecting that the backend directory server must respond successfully to anonymous-style binds and that the calling application must rely on Spring LDAP's bind result as its authentication decision. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a web application whose login form delegates credential verification to Spring LDAP; they submit a valid (or guessed) username such as 'administrator' together with a blank password field. Spring LDAP issues the bind, the directory server treats the empty-password bind as anonymous and returns success, and the affected DirContextAuthenticationStrategy reports authentication success back to the application, which then issues a session as the targeted user. …
Remediation Upgrade Spring LDAP to a fixed release on your current maintenance branch: per the version ranges in the advisory the upstream fix is available in versions later than 2.4.4, 3.2.17, 3.3.7, and 4.0.3 (consult https://spring.io/security/cve-2026-41720 for the exact patched release labels before deploying, as released patched version is not independently confirmed in this dataset beyond the closed ranges). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Java applications running Spring LDAP 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, or 4.0.0-4.0.3; enable detailed LDAP bind logging to detect suspicious authentication attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-41720 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy