{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22751", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:55:03.990Z", "datePublished": "2026-04-21T18:30:35.428Z", "dateUpdated": "2026-04-21T18:44:34.841Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-21T18:30:35.428Z"}, "title": "Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions", "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "6.4.0", "lessThanOrEqual": "6.4.15", "versionType": "custom"}, {"status": "affected", "version": "6.5.0", "lessThanOrEqual": "6.5.9", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with\u00a0JdbcOneTimeTokenService\u00a0are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.\u00a0This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with&nbsp;<code>JdbcOneTimeTokenService</code>&nbsp;are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.&nbsp;<span>This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.</span>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22751"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-367", "lang": "en", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:44:30.926766Z", "id": "CVE-2026-22751", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:44:34.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T18:44:30.926766Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:44:13.539Z"}}], "cna": {"title": "Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "6.4.0", "versionType": "custom", "lessThanOrEqual": "6.4.15"}, {"status": "affected", "version": "6.5.0", "versionType": "custom", "lessThanOrEqual": "6.5.9"}, {"status": "affected", "version": "7.0.0", "versionType": "custom", "lessThanOrEqual": "7.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22751"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with\u00a0JdbcOneTimeTokenService\u00a0are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.\u00a0This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with&nbsp;<code>JdbcOneTimeTokenService</code>&nbsp;are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.&nbsp;<span>This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.</span>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-21T18:30:35.428Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22751", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:44:34.841Z", "dateReserved": "2026-01-09T06:55:03.990Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-21T18:30:35.428Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "6452E94A-BC89-4F38-A140-C55DC6DEC0A8", "versionEndExcluding": "6.4.16", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A35C014-6D64-4246-99B8-88BD7B5EC92F", "versionEndExcluding": "6.5.10", "versionStartIncluding": "6.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B8A5767-EB43-4E11-8E93-9324B70F7060", "versionEndExcluding": "7.0.5", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with\u00a0JdbcOneTimeTokenService\u00a0are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition.\u00a0This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4."}], "id": "CVE-2026-22751", "lastModified": "2026-05-01T12:11:12.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:16.550", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22751"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Spring Security: JdbcOneTimeTokenService: Spring Security: Authentication bypass due to race condition in One-Time Token login", "id": "2460211", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460211"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in Spring Security, specifically in applications configured for One-Time Token login using JdbcOneTimeTokenService. This vulnerability is due to a Time-of-check Time-of-use (TOCTOU) race condition. A remote attacker with high attack complexity could exploit this flaw to achieve low confidentiality and low integrity impact, potentially leading to unauthorized access or limited information disclosure."], "name": "CVE-2026-22751", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "org.apache.servicemix.bundles.spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "quarkus-spring-security-core-api", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-security-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-04-21T18:30:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22751\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22751\nhttps://spring.io/security/cve-2026-22751"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.4.0,6.4.15]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.5.0,6.5.9]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Spring Security", "source": "cna", "vendor": "Spring"}, "product": "spring_security", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-22T05:33:53.349206+00:00", "value": {"mitigation_remediation": ["Upgrade Spring Security to a version newer than the vulnerable releases (\u22656.4.16, \u22656.5.10, or \u22657.0.5). Official patches address the race condition.", "If an immediate upgrade is not feasible, disable or remove the One\u2011Time Token login configuration until the fix is applied, or enforce token invalidation logic manually.", "Audit and monitor authentication logs for repeated use of a single token and investigate any anomalous activity."], "summary": {"action": "Check updates", "impact": "Repeated token authentication"}, "threat_synthesis": {"affected_systems": "Spring Security versions 6.4.0 through 6.4.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4 are vulnerable. Any Java application that has explicitly configured JdbcOneTimeTokenService for one\u2011time token logins within those releases may be impacted. The vulnerability is limited to those versions and does not affect earlier or later releases.", "description_and_impact": "The vulnerability in Spring Security arises from a time\u2011of\u2011check to time\u2011of\u2011use race condition in JdbcOneTimeTokenService. When an application enables one\u2011time token logins, the service does not correctly invalidate a token upon first use, allowing the same token to be reused to establish multiple authenticated sessions. This flaw can enable an attacker who gains or intercepts a one\u2011time token to create additional sessions beyond the intended single\u2011use restriction, effectively bypassing the mechanism that was supposed to limit access to one session per token.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate severity based on CVSS v3.1. No EPSS data is available, and the issue is not listed in CISA's KEV catalog, suggesting current exploitation is not widely reported. However, the TOCTOU race condition requires concurrency or timing conditions; an attacker must have access to the one\u2011time token and the ability to request simultaneous authentication attempts. The risk is thus primarily for environments that expose these tokens insecurely, but the lack of a public exploit and low severity score moderates urgency. Nevertheless, updating to a fixed version remains prudent."}}}}, "created": "2026-04-22T03:15:06.404553+00:00", "updated": "2026-04-22T11:45:51.168230+00:00", "vendors": ["spring", "spring$PRODUCT$spring_security"]}