MEDIUM 4.8
GHSA-x2wq-9x2f-fhj7
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured
Details
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.springframework.security:spring-security-core
Introduced in:
6.5.0 Fixed in: 6.5.10 Fix
# pom.xml: bump <version>6.5.10</version> for org.springframework.security:spring-security-core Maven / org.springframework.security:spring-security-core
Introduced in:
7.0.3 Fixed in: 7.0.5 Fix
# pom.xml: bump <version>7.0.5</version> for org.springframework.security:spring-security-core Maven / org.springframework.security:spring-security-core
Introduced in:
6.4.0 No fixed version published yet for org.springframework.security:spring-security-core (maven). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-22751 [ADVISORY]
- https://github.com/spring-projects/spring-security/commit/163772775036c4146815a5266874278c6f45f047 [WEB]
- https://github.com/spring-projects/spring-security/commit/4187af38b251fc97fdf9949f7869618111e6e261 [WEB]
- https://github.com/spring-projects/spring-security [PACKAGE]
- https://jinyeong.seol.pro/blogs/cve-2026-22751/en [WEB]
- https://spring.io/security/cve-2026-22751 [WEB]