Spring Security 5.5.x Release Notes

Bug Fixes

• Patched the authorization bypass in DaoAuthenticationProvider where timing attack protections could be circumvented for disabled, expired, or locked accounts when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked (CVE-2026-22746).

Dependency Upgrades

• Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.15
• Spring Framework (NES) 5.3.39-spring-framework-5.3.51
• Spring LDAP (NES) 2.3.8-spring-ldap-2.3.11

Bug Fixes

• Patched the critical Spring Security vulnerability in OnCommittedResponseWrapper where security headers are silently dropped when Content-Length is set via setHeader, setIntHeader, or addIntHeader (CVE-2026-22732).

Dependency Upgrades

• Spring Framework (NES) 5.3.39-spring-framework-5.3.50

Bug Fixes

• This release patches the following:
  • Maximum password length enforced in BCryptPasswordEncoder (patch for CVE-2025-22228) breaks timing attack mitigation in DaoAuthenticationProvider (CVE-2025-22234).
  • BCryptPasswordEncoder maximum password length is not enforced (CVE-2025-22228).
  • Authorization Bypass for Case Sensitive Comparisons (CVE-2024-38827).
  • Authorization Bypass of Static Resources in WebFlux Applications (CVE-2024-38821).
  • Possible Broken Access Control With Direct Use of AuthenticatedVoter (CVE-2024-22257).
  • Privilege Escalation in OAuth2 Client (CVE-2022-31690).

Notes

• This release originates from the open‑source Spring Security repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Security 5.5.8.

Dependency Upgrades

• Spring Data BOM (NES) 2021.0.12-spring-data-bom-2021.0.13
• Spring Framework (NES) 5.3.39-spring-framework-5.3.49
• Spring LDAP (NES) 2.3.8-spring-ldap-2.3.9