CVE-2026-22751
MEDIUM4.8EPSS 0.05%Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured
Published: 4/21/2026Modified: 5/5/2026
Description
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Affected packages (1)
- Maven/org.springframework.security:spring-security-core>= 6.5.0, < 6.5.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-22751
- PATCHhttps://github.com/spring-projects/spring-security
- WEBhttps://github.com/spring-projects/spring-security/commit/163772775036c4146815a5266874278c6f45f047
- WEBhttps://github.com/spring-projects/spring-security/commit/4187af38b251fc97fdf9949f7869618111e6e261
- WEBhttps://spring.io/security/cve-2026-22751