Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured

GHSA-x2wq-9x2f-fhj7 · CVE-2026-22751

Published Apr 21, 2026 · Modified May 5, 2026

Description

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22751
WEB https://github.com/spring-projects/spring-security/commit/163772775036c4146815a5266874278c6f45f047
WEB https://github.com/spring-projects/spring-security/commit/4187af38b251fc97fdf9949f7869618111e6e261
PACKAGE https://github.com/spring-projects/spring-security
WEB https://spring.io/security/cve-2026-22751

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes