CVE-2026-22751: Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured
(updated )
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
References
- github.com/advisories/GHSA-x2wq-9x2f-fhj7
- github.com/spring-projects/spring-security
- github.com/spring-projects/spring-security/commit/163772775036c4146815a5266874278c6f45f047
- github.com/spring-projects/spring-security/commit/4187af38b251fc97fdf9949f7869618111e6e261
- nvd.nist.gov/vuln/detail/CVE-2026-22751
- spring.io/security/cve-2026-22751
Code Behaviors & Features
Detect and mitigate CVE-2026-22751 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →