Platform
java
Component
spring-security
Fixed in
6.4.16
6.5.10
7.0.5
6.5.10
CVE-2026-22751 describes a Race Condition vulnerability within Spring Security, specifically impacting applications utilizing JdbcOneTimeTokenService for One-Time Token login. This TOCTOU (Time-of-check Time-of-use) vulnerability allows a malicious actor to potentially bypass authentication mechanisms. The vulnerability affects Spring Security versions 6.4.0 through 7.0.4, and a fix is available in version 6.4.16.
The core of this vulnerability lies in a race condition. When Spring Security's JdbcOneTimeTokenService is used, the system checks for the existence of a one-time token and then uses it. An attacker can exploit this by manipulating the token between the check and the use, potentially invalidating the authentication process. Successful exploitation could grant unauthorized access to protected resources and functionalities within the application. While the CVSS score is MEDIUM, the potential for bypassing authentication controls warrants serious attention, particularly in environments with sensitive data or critical operations.
CVE-2026-22751 was publicly disclosed on 2026-04-21. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The vulnerability's reliance on a specific configuration (JdbcOneTimeTokenService) may limit its widespread exploitability, but organizations using this feature should prioritize patching.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22751 is to upgrade to Spring Security version 6.4.16 or later, which includes the fix for this race condition. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as reducing the token validity window or adding additional authentication checks. Monitor application logs for unusual authentication patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to reproduce the vulnerability scenario and verifying that authentication is properly enforced.
Update Spring Security to version 6.4.16 or higher, 6.5.10 or higher, or 7.0.5 or higher to mitigate the TOCTOU vulnerability in the JdbcOneTimeTokenService. This update corrects the race condition that allows for multiple sessions to authenticate with a single one-time token. Review the official Spring Security documentation for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22751 is a Race Condition vulnerability affecting Spring Security versions 6.4.0–7.0.4. It allows attackers to potentially bypass authentication using a TOCTOU exploit.
You are affected if you are using Spring Security versions 6.4.0 through 7.0.4 and have configured JdbcOneTimeTokenService for One-Time Token login.
Upgrade to Spring Security version 6.4.16 or later to resolve the vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-22751.
Refer to the Spring Security project's security advisories for detailed information and updates: [https://security.spring.io/](https://security.spring.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.