CVE-2026-22751
Received Received - Intake
TOCTOU Race Condition in Spring Security JdbcOneTimeTokenService

Publication date: 2026-04-21

Last updated on: 2026-05-01

Assigner: VMware

Description
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22751
EUVD
EUVD-2026-24227
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_security From 6.4.0 (inc) to 6.4.16 (exc)
vmware spring_security From 6.5.0 (inc) to 6.5.10 (exc)
vmware spring_security From 7.0.0 (inc) to 7.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22751 is a medium-severity vulnerability in Spring Security's JdbcOneTimeTokenService, which is used for one-time token authentication.

The issue is a Time-of-check Time-of-use (TOCTOU) race condition that allows an attacker who has a valid one-time token to send multiple concurrent requests to the authentication endpoint.

This flaw enables the single-use token to be consumed multiple times, allowing the attacker to create multiple authenticated sessions from what should be a single-use token.

This vulnerability affects applications that explicitly configure one-time token login using JdbcOneTimeTokenService, while the default InMemoryOneTimeTokenService is not vulnerable.

Impact Analysis

An attacker exploiting this vulnerability can reuse a single-use authentication token multiple times to establish multiple authenticated sessions.

This can lead to unauthorized access by allowing attackers to bypass the intended single-use restriction of tokens.

The impact on confidentiality and integrity is low, and there is no impact on availability according to the CVSS assessment.

Detection Guidance

This vulnerability affects applications explicitly configuring One-Time Token login using JdbcOneTimeTokenService in Spring Security versions 6.4.0 through 6.4.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4.

Detection involves identifying if your application uses the vulnerable JdbcOneTimeTokenService implementation for one-time token authentication.

Since the vulnerability is a TOCTOU race condition allowing multiple concurrent requests with the same token, monitoring for multiple authentication attempts using the same one-time token concurrently could indicate exploitation.

  • Check your application's Spring Security version and configuration to see if JdbcOneTimeTokenService is used.
  • Use application logs to detect multiple concurrent authentication requests with the same one-time token.
  • Commands to check Spring Security version (example for Maven projects): mvn dependency:list | grep spring-security
  • Commands to search for JdbcOneTimeTokenService usage in your codebase: grep -r JdbcOneTimeTokenService ./
Mitigation Strategies

The primary mitigation is to upgrade Spring Security to a fixed version where the vulnerability is resolved.

  • Upgrade to Spring Security 6.4.16 or later if using the 6.4.x branch (commercial).
  • Upgrade to Spring Security 6.5.10 or later if using the 6.5.x branch (open source).
  • Upgrade to Spring Security 7.0.5 or later if using the 7.0.x branch (open source).

If immediate upgrade is not possible, consider temporarily disabling or avoiding the use of JdbcOneTimeTokenService for one-time token login, or implement additional synchronization to prevent concurrent token consumption.

Compliance Impact

The vulnerability allows an attacker to reuse a single-use token multiple times, potentially enabling multiple authenticated sessions from what should be a one-time token.

This could lead to unauthorized access to sensitive data or systems, which may impact compliance with standards and regulations such as GDPR or HIPAA that require strict access controls and protection of personal or health information.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart