CVE-2026-41720
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.
Risk Assessment
This may lead to unauthorized access as the system does not validate the password for users with non-empty usernames.
Recommendation
It is recommended to upgrade to the latest version of Spring LDAP to ensure proper validation of login credentials.
Original NVD description (English source)
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.

