VYPR
Medium severity4.8NVD Advisory· Published Apr 21, 2026· Updated May 1, 2026

CVE-2026-22751

CVE-2026-22751

Description

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.security:spring-security-coreMaven
>= 6.5.0, < 6.5.106.5.10
org.springframework.security:spring-security-coreMaven
>= 7.0.3, < 7.0.57.0.5
org.springframework.security:spring-security-coreMaven
>= 6.4.0, <= 6.4.13

Affected products

26

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.