CVE-2026-41720: Spring LDAP Authentication Bypass via Empty Password (CVSS 7.4)
Spring LDAP, a widely-used library for LDAP authentication and directory operations, contains a flaw in how it validates user credentials during the authentication process. Specifically, the vulnerability allows attackers to successfully authenticate by providing a username with an empty or null password—credentials that should never be accepted. An attacker exploiting this could gain unauthorized access to systems relying on Spring LDAP for authentication, provided they can interact with the LDAP authentication flow.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-287
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-23
NVD description (verbatim)
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Spring LDAP's DirContextAuthenticationStrategy implementations, which fail to properly reject bind requests where a non-empty username is combined with an empty or null password. During LDAP authentication, the strategy should enforce that both the username and password are present and valid; instead, it permits the bind operation to proceed. This represents a broken authentication check at the protocol level. The flaw affects versions 2.4.0–2.4.4, 3.2.0–3.2.17, 3.3.0–3.3.7, and 4.0.0–4.0.3 across the entire version tree, suggesting the defect was introduced early and persisted through multiple release cycles.
Business impact
Applications using affected Spring LDAP versions for authentication—particularly enterprise systems relying on LDAP as the primary directory and identity service—face unauthorized access risk. An attacker without valid credentials could bypass authentication entirely by submitting a known username paired with a blank password, potentially leading to data theft, unauthorized privilege escalation, or system compromise. The impact severity depends on the application's architecture; if LDAP authentication is the only factor or if the LDAP-authenticated user gains broad system access, the business impact is critical. Regulated environments (finance, healthcare, government) face additional compliance and audit implications.
Affected systems
Any application or service that directly uses Spring LDAP library versions 2.4.0–2.4.4, 3.2.0–3.2.17, 3.3.0–3.3.7, or 4.0.0–4.0.3 for LDAP authentication is vulnerable. This includes enterprise applications, single sign-on (SSO) integrations, and identity management systems built on Spring Framework that delegate authentication to LDAP directories. Java-based systems predominate. Developers should audit their dependency trees to identify exposed versions; transitive dependencies may hide the vulnerable library from initial inspection.
Exploitability
The vulnerability has a CVSS score of 7.4 (HIGH) with a network-accessible attack vector and no privileges required, indicating straightforward exploitability. However, the attack complexity is rated as high, meaning successful exploitation requires specific conditions—such as knowledge of valid usernames or the ability to enumerate them, or a particular LDAP server configuration. The attacker does not need to interact with an end user (no UI required). The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, though this does not diminish its risk. Proof-of-concept development and operational exploitation are likely inevitable once public awareness grows.
Remediation
Organizations must upgrade affected Spring LDAP installations to patched versions as soon as possible. Verify the specific patched version numbers against the official Spring Security and Spring LDAP project advisories, as patches have been released across the affected version lines. For interim mitigation, implement additional authentication controls: require multi-factor authentication (MFA) if possible, restrict LDAP authentication access to internal networks only, and enforce password policies in the LDAP directory that prevent null or empty values. However, these mitigations do not resolve the underlying authentication bypass and should not be considered substitutes for patching.
Patch guidance
Check the official Spring LDAP security advisory and GitHub releases for the exact patched version numbers corresponding to each affected version line (2.4.x, 3.2.x, 3.3.x, and 4.0.x). Update your Spring LDAP dependency in your build system (Maven pom.xml, Gradle build.gradle, etc.) to the first patched release in your version series. After upgrading, re-test your LDAP authentication flows to confirm the vulnerability is resolved and that no authentication-related regressions are introduced. If you use Spring Security (which may integrate Spring LDAP), ensure both libraries are updated in coordination.
Detection guidance
Search your codebase and dependency manifests for Spring LDAP versions within the affected ranges. Automated dependency scanning tools (such as OWASP Dependency-Check, Snyk, or JFrog Xray) should flag these versions automatically. Monitor LDAP server logs for successful bind operations with empty or null passwords—these entries would be suspicious and indicate active exploitation attempts. Application logs may show unexpected authentication successes with missing or blank password fields. Additionally, review deployment inventories and container image registries to identify production systems running the vulnerable library versions.
Why prioritize this
This vulnerability merits immediate prioritization because it directly undermines core authentication security. With a HIGH CVSS score, network accessibility, no authentication requirement, and the ability to grant unauthorized system access, it should be treated as a critical security risk. The broad version range affected (spanning multiple major release lines) means many organizations may unwittingly be running vulnerable code. The fact that it is not yet on CISA's KEV list does not reduce urgency; it reflects only that weaponized public exploitation has not yet been formally documented, not that the risk is low. Any system relying on LDAP for authentication should be remediated within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 7.4 reflects a HIGH-severity vulnerability that is network-reachable (AV:N), requires high attack complexity (AC:H), needs no prior privileges (PR:N), and doesn't require user interaction (UI:N). The vulnerability impacts the confidentiality and integrity of the system (C:H, I:H) but not availability (A:N). The high attack complexity rating acknowledges that successful exploitation may require knowledge of valid usernames or familiarity with the target LDAP configuration. However, the scope remains unchanged (S:U), meaning the impact is limited to the affected component itself, not the broader system environment. A score of 7.4 indicates a strong business driver for rapid patching.
Frequently asked questions
How would an attacker exploit this vulnerability in a real-world scenario?
An attacker would need to know or guess a valid username in the target LDAP directory. They would then submit an LDAP bind request using that username paired with an empty or null password. If the application uses a vulnerable Spring LDAP version, the authentication strategy would incorrectly accept the request, granting the attacker access as that user. In environments with weak username enumeration controls or where usernames are predictable (e.g., firstname.lastname format), the attack is significantly more practical.
Does this vulnerability affect Spring Security separately, or only Spring LDAP?
The vulnerability is in Spring LDAP's DirContextAuthenticationStrategy implementations. Spring Security may integrate with Spring LDAP for LDAP-based authentication, but the root issue is in the LDAP library itself. If your application uses Spring LDAP directly or indirectly through Spring Security's LDAP provider, you are potentially affected. Check your dependency tree to confirm which versions are in use, and coordinate updates across both libraries if applicable.
We cannot patch immediately due to deployment constraints. What temporary controls should we implement?
While not a substitute for patching, implement defense-in-depth: enforce multi-factor authentication if technically feasible, restrict LDAP authentication to internal network access only, configure your LDAP server to reject bind requests with empty passwords at the directory level, monitor LDAP logs for suspicious bind activity, and apply additional authorization checks in your application beyond LDAP authentication. These measures reduce exploitability but do not eliminate the vulnerability. Establish a firm timeline for patching.
How can we identify if we are currently running a vulnerable version?
Review your application's dependency manifest (pom.xml for Maven, build.gradle for Gradle, or package.json for Node applications using JVM bindings). Use automated dependency scanning tools such as OWASP Dependency-Check, GitHub Dependabot, Snyk, or JFrog Xray, which maintain databases of known vulnerable versions. If Spring LDAP appears in the affected version ranges listed above, you are vulnerable. Also inspect any Docker images or container registries to ensure no production images contain the vulnerable library.
This analysis is provided for informational purposes and does not constitute professional security advice. The accuracy of technical details depends on vendor advisories and public disclosures current as of the publication date. Organizations should verify patch version numbers and compatibility against official vendor documentation before implementing changes. Actual exploitation success depends on environmental factors including LDAP server configuration, application architecture, and network access controls. SEC.co makes no warranties regarding the completeness or timeliness of this intelligence. Always consult with your security team and conduct thorough testing before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10288HIGHHotel Reservation System Admin Authentication Bypass
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-10777HIGHealpha072 Student-Management-System Authentication Bypass in Admin Backend