Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP
Description
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.
RFC 4513 Section 5.1.2 defines this as an unauthenticated bind. On LDAP servers that permit such binds, an attacker with a valid username and an empty password can bypass password verification.
This affects authentications performed through AbstractContextSource, LdapTemplate, and LdapClient.
This is similar to a vulnerability previously announced in Spring Security as CVE-2014-0079.
Affected Spring Products and Versions
Spring LDAP:
- 2.4.0 - 2.4.4
- 3.2.0 - 3.2.17
- 3.3.0 - 3.3.7
- 4.0.0 - 4.0.3
- Unsupported versions are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 2.4.x | 2.4.5 | Enterprise Support Only |
| 3.2.x | 3.2.18 | Enterprise Support Only |
| 3.3.x | 3.3.8 | OSS |
| 4.0.x | 4.0.4 | OSS |
No further mitigation steps are necessary.
References
History
- 2026-06-08: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all