Can you explain this vulnerability to me?

CVE-2026-22751 is a medium-severity vulnerability in Spring Security's JdbcOneTimeTokenService, which is used for one-time token authentication.

The issue is a Time-of-check Time-of-use (TOCTOU) race condition that allows an attacker who has a valid one-time token to send multiple concurrent requests to the authentication endpoint.

This flaw enables the single-use token to be consumed multiple times, allowing the attacker to create multiple authenticated sessions from what should be a single-use token.

This vulnerability affects applications that explicitly configure one-time token login using JdbcOneTimeTokenService, while the default InMemoryOneTimeTokenService is not vulnerable.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker exploiting this vulnerability can reuse a single-use authentication token multiple times to establish multiple authenticated sessions.

This can lead to unauthorized access by allowing attackers to bypass the intended single-use restriction of tokens.

The impact on confidentiality and integrity is low, and there is no impact on availability according to the CVSS assessment.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects applications explicitly configuring One-Time Token login using JdbcOneTimeTokenService in Spring Security versions 6.4.0 through 6.4.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4.

Detection involves identifying if your application uses the vulnerable JdbcOneTimeTokenService implementation for one-time token authentication.

Since the vulnerability is a TOCTOU race condition allowing multiple concurrent requests with the same token, monitoring for multiple authentication attempts using the same one-time token concurrently could indicate exploitation.

• Check your application's Spring Security version and configuration to see if JdbcOneTimeTokenService is used.
• Use application logs to detect multiple concurrent authentication requests with the same one-time token.
• Commands to check Spring Security version (example for Maven projects): mvn dependency:list | grep spring-security
• Commands to search for JdbcOneTimeTokenService usage in your codebase: grep -r JdbcOneTimeTokenService ./

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker to reuse a single-use token multiple times, potentially enabling multiple authenticated sessions from what should be a one-time token.

This could lead to unauthorized access to sensitive data or systems, which may impact compliance with standards and regulations such as GDPR or HIPAA that require strict access controls and protection of personal or health information.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Spring Security to a fixed version where the vulnerability is resolved.

• Upgrade to Spring Security 6.4.16 or later if using the 6.4.x branch (commercial).
• Upgrade to Spring Security 6.5.10 or later if using the 6.5.x branch (open source).
• Upgrade to Spring Security 7.0.5 or later if using the 7.0.x branch (open source).

If immediate upgrade is not possible, consider temporarily disabling or avoiding the use of JdbcOneTimeTokenService for one-time token login, or implement additional synchronization to prevent concurrent token consumption.

Useful 0 Not Useful 0