Time-of-Check Time-of-Use Vulnerability in Spring Security by Pivotal
CVE-2026-22751

4.8MEDIUM

Key Information:

Vendor: Spring
Status: Spring Security
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-22751?

A vulnerability exists in Spring Security affecting applications that configure One-Time Token login using JdbcOneTimeTokenService. This issue is due to a Time-of-check Time-of-use (TOCTOU) race condition, which can potentially lead to unauthorized access. Applications built with vulnerable versions of Spring Security may allow attackers to exploit this flaw, impacting the overall security of affected systems. It is crucial for developers to review and update their configurations to mitigate this risk effectively.

Affected Version(s)

Spring Security 6.4.0 <= 6.4.15

Spring Security 6.5.0 <= 6.5.9

Spring Security 7.0.0 <= 7.0.4

References

https://spring.io/security/cve-2026-22751

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2026-22751 Data

JSON