CVE-2026-22751 Overview
A Time-of-check Time-of-use (TOCTOU) race condition vulnerability has been identified in Spring Security affecting applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService. This race condition occurs during the authentication flow where the validation and consumption of one-time tokens are not performed atomically, potentially allowing attackers to exploit the timing gap between these operations.
Critical Impact
Applications using JdbcOneTimeTokenService for One-Time Token authentication may be susceptible to token reuse attacks due to the TOCTOU race condition, potentially compromising authentication integrity.
Affected Products
- Spring Security versions 6.4.0 through 6.4.15
- Spring Security versions 6.5.0 through 6.5.9
- Spring Security versions 7.0.0 through 7.0.4
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-22751 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-22751
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-check Time-of-use Race Condition). The flaw exists in the JdbcOneTimeTokenService implementation used for One-Time Token login functionality in Spring Security. The race condition occurs when the system checks whether a token is valid and then subsequently uses or invalidates that token. Due to the non-atomic nature of these operations, a narrow time window exists where an attacker with access to a valid one-time token could potentially submit multiple simultaneous requests to exploit the token before it is properly consumed.
The network-based attack vector with high complexity requirements means exploitation requires precise timing and likely automated tools to successfully race the token validation mechanism. However, no user interaction is required, making it feasible for attackers to attempt exploitation against exposed endpoints.
Root Cause
The root cause lies in the lack of atomic operations in the JdbcOneTimeTokenService when handling one-time token validation and consumption. The implementation performs a check to validate the token's existence and validity, followed by a separate operation to consume or invalidate the token. This two-step process creates a race window where concurrent requests can pass the validation check before any single request completes the consumption step.
Attack Vector
The attack requires network access to the application's authentication endpoints that utilize the One-Time Token login feature with JdbcOneTimeTokenService. An attacker must:
- Obtain a valid one-time token (through legitimate means or interception)
- Submit multiple concurrent authentication requests using the same token
- Time the requests to arrive during the gap between token validation and consumption
If successful, multiple authentication sessions could be established using a single one-time token, violating the single-use guarantee of the authentication mechanism.
The vulnerability mechanism involves race conditions during token validation in the JDBC-backed token service. For detailed technical information, refer to the Spring Security Advisory CVE-2026-22751.
Detection Methods for CVE-2026-22751
Indicators of Compromise
- Multiple successful authentication events using the same one-time token within milliseconds
- Unusual spikes in concurrent authentication requests to One-Time Token endpoints
- Log entries showing repeated token validation for identical token values
- Multiple active sessions associated with a single one-time token issuance
Detection Strategies
- Implement application-level logging to track one-time token usage patterns and flag potential race condition exploitation attempts
- Monitor database transaction logs for JdbcOneTimeTokenService table operations showing concurrent read operations on the same token record
- Deploy application performance monitoring (APM) tools to detect abnormal request patterns targeting authentication endpoints
- Configure alerts for authentication anomalies where multiple sessions originate from single token issuance events
Monitoring Recommendations
- Enable detailed audit logging for all One-Time Token authentication attempts including timestamps with millisecond precision
- Monitor application logs for authentication success patterns that indicate token reuse
- Implement real-time alerting for concurrent authentication attempts from the same token source
- Review database transaction isolation levels and locking behavior for token tables
How to Mitigate CVE-2026-22751
Immediate Actions Required
- Upgrade Spring Security to a patched version beyond the affected ranges: 6.4.15, 6.5.9, or 7.0.4
- Review application configurations to identify usage of JdbcOneTimeTokenService for One-Time Token login
- Consider temporarily disabling One-Time Token authentication if immediate patching is not feasible
- Implement additional rate limiting on authentication endpoints as a defense-in-depth measure
Patch Information
Spring has released security updates to address this vulnerability. Refer to the official Spring Security Advisory CVE-2026-22751 for specific patched versions and upgrade guidance. Applications should upgrade to the latest available version in their respective major version track that addresses this vulnerability.
Workarounds
- Implement database-level row locking or pessimistic locking strategies for the one-time token table to prevent concurrent access
- Add application-level synchronization around token validation and consumption operations
- Consider switching to an alternative OneTimeTokenService implementation that provides atomic operations
- Implement additional token validation at the application layer using a distributed lock mechanism such as Redis
# Configuration example
# Update Spring Security dependency in pom.xml (Maven)
# Upgrade to patched version beyond affected ranges
# For Spring Security 6.4.x users:
# <version>6.4.16</version> or later
# For Spring Security 6.5.x users:
# <version>6.5.10</version> or later
# For Spring Security 7.0.x users:
# <version>7.0.5</version> or later
# Verify your application's Spring Security version:
mvn dependency:tree | grep spring-security
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
