BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
This concerns the Axon Ivy Engine with local users. During password verification, only the first 72 bytes are checked - which corresponds to a fairly long password. The implementation has been fixed by the library vendor. Our next releases will use the new version of the library:
See also: https://nvd.nist.gov/vuln/detail/CVE-2025-22228
If you have users which has passwords longer than 72bytes, you need to reset the passwords for them.
