CVE-2026-22751: Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured

April 21, 2026 (updated April 25, 2026)

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

References

github.com/advisories/GHSA-x2wq-9x2f-fhj7
github.com/spring-projects/spring-security/commit/163772775036c4146815a5266874278c6f45f047
github.com/spring-projects/spring-security/commit/4187af38b251fc97fdf9949f7869618111e6e261
nvd.nist.gov/vuln/detail/CVE-2026-22751
spring.io/security/cve-2026-22751

Code Behaviors & Features

Detect and mitigate CVE-2026-22751 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →