The vulnerability in Spring Security arises from a time‑of‑check to time‑of‑use race condition in JdbcOneTimeTokenService. When an application enables one‑time token logins, the service does not correctly invalidate a token upon first use, allowing the same token to be reused to establish multiple authenticated sessions. This flaw can enable an attacker who gains or intercepts a one‑time token to create additional sessions beyond the intended single‑use restriction, effectively bypassing the mechanism that was supposed to limit access to one session per token.

Spring Security versions 6.4.0 through 6.4.15, 6.5.0 through 6.5.9, and 7.0.0 through 7.0.4 are vulnerable. Any Java application that has explicitly configured JdbcOneTimeTokenService for one‑time token logins within those releases may be impacted. The vulnerability is limited to those versions and does not affect earlier or later releases.

The CVSS score of 4.8 indicates a moderate severity based on CVSS v3.1. No EPSS data is available, and the issue is not listed in CISA's KEV catalog, suggesting current exploitation is not widely reported. However, the TOCTOU race condition requires concurrency or timing conditions; an attacker must have access to the one‑time token and the ability to request simultaneous authentication attempts. The risk is thus primarily for environments that expose these tokens insecurely, but the lack of a public exploit and low severity score moderates urgency. Nevertheless, updating to a fixed version remains prudent.