HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41720Published Modified CNA vmware

CVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
2.4.5
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in Spring LDAP affects versions 2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, and 4.0.0-4.0.3. The flaw is reachable over the network with no credentials required, though exploitation requires meeting specific conditions (high attack complexity per the CVSS vector); a non-empty username paired with an empty or null password is accepted as a valid bind by the DirContextAuthenticationStrategy implementations, bypassing authentication entirely. Successful exploitation allows an attacker to read protected data and tamper with directory-backed resources. Patched-image rebuilds at versions 2.4.5, 3.2.18, 3.3.8, and 4.0.4 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-41720 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Spring LDAP. HarborGuard's scanner identifies all four affected version ranges across registries and active CI/CD pipelines.

Available
Triage

Triage is available using the CVSS v3.1 base score of 7.4 (HIGH), weighted further by each customer organization's compliance policy to surface the finding in the appropriate team inbox. Per-environment policy configuration controls escalation thresholds and assignee routing without requiring manual intervention.

Available
Patch

Patched-image rebuilds at Spring LDAP versions 2.4.5, 3.2.18, 3.3.8, and 4.0.4 become available on HarborGuard the moment the fix versions are ingested. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Spring LDAP bind endpoint must be reachable over the network; an attacker submits a crafted authentication request remotely.

  • AuthenticationNot required

    No existing credentials are needed; the attacker supplies only a non-empty username with an empty or null password to trigger the bypass.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker interacts directly with the service endpoint.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning the attacker must satisfy specific environmental or timing conditions beyond simple network access, such as targeting a deployment that relies on LDAP bind for authentication without additional validation layers.

Blast Radius

  • Reads directory-backed resources, including user account attributes, group memberships, and any data exposed through the LDAP tree to authenticated sessions.
  • Modifies directory entries if the LDAP account being impersonated carries write permissions, including user profile data or access-control group assignments.
  • Gains the effective access level of any account whose username is known, bypassing password enforcement entirely for those accounts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41720 is active across all customer registries and pipelines, matching images that bundle any affected Spring LDAP version range (2.4.0-2.4.4, 3.2.0-3.2.17, 3.3.0-3.3.7, 4.0.0-4.0.3). Patched rebuilds targeting 2.4.5, 3.2.18, 3.3.8, or 4.0.4 (depending on the version branch in use) are available once the fix is ingested. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard routes the finding with full CVSS context to the configured team inbox for manual review. While awaiting remediation, consider applying network policy to restrict which services can reach your LDAP endpoint and adding an application-layer check that rejects empty passwords before delegating to Spring LDAP's bind logic.

See how HarborGuard automates this

Fix available

2.4.53.2.183.3.84.0.4
Affected packages
  • Spring / Spring LDAP
    < 2.4.5 (from 2.4.0) · < 3.2.18 (from 3.2.0) · < 3.3.8 (from 3.3.0) · < 4.0.4 (from 4.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References