CVE-2026-40995: X.509 authentication bypasses Spring Security account checks
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails , without applying Spring Security’s standard account lifecycle checks disabled, locked, expired, or credentials-expired accounts. That behavior applied to users...