High

Authentication Bypass with Empty Password in Spring LDAP

IdentifiersCVE-2026-41720CWE-287· Improper Authentication

CVE-2026-41720 is a Spring LDAP authentication bypass vulnerability in DirContextAuthenticationStrategy implementations. The flaw is that Spring LDAP does not reject LDAP bind requests where a non-empty username is supplied with an empty or null password. Per RFC 4513 Section 5.1.2, this condition is treated as an unauthenticated bind. In deployments where the target LDAP server permits unauthenticated binds, authentication flows using Spring LDAP can incorrectly treat the operation as successful even though no valid password was provided. The issue affects authentication operations performed through Spring LDAP components including AbstractContextSource, LdapTemplate, and LdapClient. Reported affected versions are Spring LDAP 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3; unsupported versions are also reported as affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an unauthenticated remote attacker to bypass password verification and authenticate as a known valid LDAP user by submitting that username with an empty or null password, but only where the backing LDAP server accepts unauthenticated binds. This can result in unauthorized access to applications or resources that rely on the affected Spring LDAP authentication flow. The provided material does not indicate direct code execution or denial of service from this issue; the primary impact is authentication bypass and resulting unauthorized access.

Mitigation

If you can’t patch tonight, do this now.

The provided content states that no additional mitigation steps are necessary beyond upgrading. As an interim risk-reduction measure where immediate patching is not possible, exposure would depend on whether the LDAP server permits unauthenticated binds; preventing such binds at the directory server and ensuring applications reject empty or null passwords before attempting LDAP authentication would reduce exploitability, but these measures are not stated by the vendor as the primary remediation.

Remediation

Patch, then assume compromise.

Upgrade Spring LDAP to a fixed release in the relevant branch: 2.4.5, 3.2.18, 3.3.8, or 4.0.4. The content states that 2.4.5 and 3.2.18 are available through Enterprise Support, while 3.3.8 and 4.0.4 are available as OSS releases. Unsupported versions should be migrated to a supported fixed branch. After upgrading, validate LDAP authentication behavior in regression testing, especially handling of empty and null password inputs.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomSpring Ldapapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Jun 9, 2026

Spring Framework Security Vulnerabilities Patched

An authentication bypass vulnerability in Spring LDAP verification logic that may allow unauthorized access when a valid username is paired with an empty or null password.

springNews

Jun 8, 2026

CVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP

An authentication bypass vulnerability in Spring LDAP where a valid username combined with an empty or null password may be accepted as an unauthenticated bind on LDAP servers that permit such binds, allowing password verification bypass.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41720

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41720

MITRE CWE · CWE-287

Improper Authentication

spring.io

spring.io/security/cve-2026-41720