Aikido Intel
Secure My Code
Intel

AIKIDO-2026-11164

spring-ldap-core is vulnerable to Improper Validation of Certificate with Host Mismatch

Improper Validation of Certificate with Host MismatchCVE-2026-41720 Published Yesterday

74

High Risk

This Affects:

JAVAspring-ldap-core
0.0.0 - 2.4.4
Fixed in 2.4.5
3.0.0 - 3.2.17
Fixed in 3.2.18
3.3.0 - 3.3.7
Fixed in 3.3.8
4.0.0 - 4.0.3
Fixed in 4.0.4
Are you affected? Scan for Free

TL;DR

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. RFC 4513 Section 5.1.2 defines this as an unauthenticated bind. On LDAP servers that permit such binds, an attacker with a valid username and an empty password can bypass password verification.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spring-ldap-core is vulnerable to Improper Validation of Certificate with Host Mismatch in versions 0.0.0 - 2.4.4, 3.0.0 - 3.2.17, 3.3.0 - 3.3.7 and 4.0.0 - 4.0.3.

How to fix this

Upgrade the org.springframework.ldap:spring-ldap-core library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done