CVE Catalog

CVE-2026-41720

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.

Risk Assessment

This may lead to unauthorized access as the system does not validate the password for users with non-empty usernames.

Recommendation

It is recommended to upgrade to the latest version of Spring LDAP to ensure proper validation of login credentials.

Original NVD description (English source)

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS