PatchSiren cyber security CVE debrief
CVE-2026-41720 Spring CVE debrief
CVE-2026-41720 is a high-severity vulnerability in Spring LDAP's DirContextAuthenticationStrategy implementations. The vulnerability occurs when a non-empty username is paired with an empty or null password, allowing an authentication bypass. Affected versions include Spring LDAP 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3.
- Vendor
- Spring
- Product
- Spring LDAP
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Spring LDAP, particularly those using versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The DirContextAuthenticationStrategy implementations in Spring LDAP do not properly reject bind requests with non-empty usernames and empty or null passwords, leading to an authentication bypass vulnerability.
Defensive priority
High
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring LDAP.
- Implement additional authentication mechanisms to prevent unauthorized access.
Evidence notes
The CVE-2026-41720 vulnerability was published on June 9, 2026, and has a CVSS score of 7.4.
Official resources
-
CVE-2026-41720 CVE record
CVE.org
-
CVE-2026-41720 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41720 was published on [2026-06-09T05:16:35.377Z].