Primary

Context

Spring Security User Attribute Enumeration Vulnerability in DaoAuthenticationProvider

Vulnerability

Patched

A vulnerability exists in Spring Security versions 5.7.0 through 5.7.22, 5.8.0 through 5.8.24, 6.3.0 through 6.3.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4. When applications utilize the UserDetails methods isEnabled, isAccountNonExpired, or isAccountNonLocked to manage user account states, the timing attack defenses of DaoAuthenticationProvider can be circumvented. This exploitation targets users who are disabled, expired, or locked.

Impact

Exploitation of this vulnerability allows for the bypass of timing attack defenses, potentially leading to user attribute enumeration.

Remediation

Users should upgrade to Spring Security versions 5.7.23, 5.8.25, 6.3.16, 6.4.16, 6.5.10, or 7.0.5. Note that the 7.0.5 version introduces a new setter for DaoAuthenticationProvider that can be used to manage additional user checks.

Added: Apr 22, 2026, 6:21 AM

Updated: Apr 22, 2026, 6:21 AM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

4.3

remediation

7.7

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

4.3

remediation

7.7

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Security User Attribute Enumeration Vulnerability in DaoAuthenticationProvider

Vulnerability

Impact

Remediation

Affected Products

Spring Security

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating