Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-22751: Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions
Description
Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.
An attacker with a valid one-time token can send concurrent requests to the authentication endpoint, allowing the single-use token to be consumed multiple times and establishing multiple authenticated sessions.
The default InMemoryOneTimeTokenService is thread-safe and not affected by this vulnerability.
Affected Spring Products and Versions
Spring Security:
- 6.4.0 - 6.4.15
- 6.5.0 - 6.5.9
- 7.0.0 - 7.0.4
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 6.4.x | 6.4.16 | Commercial |
| 6.5.x | 6.5.10 | OSS |
| 7.0.x | 7.0.5 | OSS |
Credit
The issue was identified and responsibly reported by Jinyeong Seol (@Seol-JY).
References
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all