CVE-2026-41720 Overview
CVE-2026-41720 is an authentication bypass vulnerability in Spring LDAP's DirContextAuthenticationStrategy implementations [CWE-287]. The affected implementations fail to reject Lightweight Directory Access Protocol (LDAP) bind requests that pair a non-empty username with an empty or null password. Many LDAP servers treat such bind operations as anonymous binds that return success, allowing an attacker to authenticate as a valid user without supplying credentials.
The flaw affects Spring LDAP versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3. Applications that delegate login flows to Spring LDAP for credential verification are exposed to account takeover.
Critical Impact
A remote attacker can bypass authentication by submitting any valid username with an empty or null password, gaining the privileges of that account.
Affected Products
- Spring LDAP 2.4.0 through 2.4.4
- Spring LDAP 3.2.0 through 3.2.17 and 3.3.0 through 3.3.7
- Spring LDAP 4.0.0 through 4.0.3
Discovery Timeline
- 2026-06-09 - CVE-2026-41720 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-41720
Vulnerability Analysis
Spring LDAP provides the DirContextAuthenticationStrategy interface to encapsulate how an LDAP bind is performed against a directory server. Implementations of this strategy construct the bind request from the supplied principal and credentials, then hand the request to the underlying JNDI context. The vulnerable implementations forward the bind request without validating that the credential value is a non-empty string.
When an LDAP server receives a bind operation that contains a distinguished name (DN) but an empty password, the server typically interprets the operation as an unauthenticated bind under RFC 4513. The bind returns success, and Spring LDAP treats the result as a verified login. Applications that rely on this result for authentication grant access to the account named in the username field.
The impact depends on the targeted account. An attacker who knows or guesses a privileged username can authenticate to the application as that user. The vulnerability is exploitable over the network without prior authentication or user interaction.
Root Cause
The root cause is missing input validation in the credential field of the bind request [CWE-287]. The strategy classes do not enforce that the password is non-null and non-empty before invoking the LDAP bind, and they do not reject the server's success response when the supplied password was empty.
Attack Vector
An attacker submits a login request to an application that uses Spring LDAP for authentication. The attacker supplies a known or guessed username and leaves the password field empty or null. Spring LDAP performs the bind, the directory server returns a successful unauthenticated bind, and the application establishes a session as the targeted user.
The vulnerability is described in prose because no verified proof-of-concept code is available. See the Spring Security Advisory CVE-2026-41720 for vendor technical details.
Detection Methods for CVE-2026-41720
Indicators of Compromise
- LDAP server bind logs showing successful binds where the password attribute length is zero for non-anonymous DNs.
- Application authentication logs showing successful logins immediately followed by privileged actions from unfamiliar source addresses.
- Repeated login attempts that iterate usernames while submitting empty password fields.
Detection Strategies
- Inspect directory server audit logs for bind operations that contain a bindDN value paired with a zero-length bindPassword.
- Correlate web application authentication events with LDAP bind events to surface logins where the credential field was empty at the application boundary.
- Run a dependency scan against build artifacts to identify Spring LDAP versions within the affected ranges.
Monitoring Recommendations
- Enable verbose LDAP bind logging on Active Directory or OpenLDAP and alert on successful binds with empty credentials.
- Monitor for spikes in authentication success rates from a single source IP across multiple usernames.
- Track Spring LDAP library versions in software bill of materials (SBOM) reports and flag instances at or below the patched releases.
How to Mitigate CVE-2026-41720
Immediate Actions Required
- Upgrade Spring LDAP to a patched release outside the affected version ranges as soon as possible.
- Reject authentication requests at the application layer when the submitted password is null or empty, before invoking Spring LDAP.
- Disable or restrict anonymous and unauthenticated binds on the backing LDAP directory server.
Patch Information
VMware/Spring has issued fixed releases through the Spring Security Advisory CVE-2026-41720. Upgrade Spring LDAP beyond 2.4.4, 3.2.17, 3.3.7, and 4.0.3 according to the advisory guidance.
Workarounds
- Add a pre-authentication filter that validates password length and rejects empty values before the bind call.
- Configure the LDAP server to reject unauthenticated bind requests, forcing it to return an error when an empty password is supplied with a DN.
- Where feasible, switch to authentication providers that do not rely on raw LDAP simple binds for credential verification.
# Example dependency override in Maven to pull a patched Spring LDAP release
mvn dependency:tree -Dincludes=org.springframework.ldap:spring-ldap-core
# Update the version property in pom.xml to a fixed release, then rebuild
mvn clean verify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
