{"schema_version": "1.6.1", "id": "CVE-2026-50631", "summary": "OAuth2: TOCTOU Race Condition in Refresh Token Processing", "details": "A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7 or 3.6.12, which fixes this issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "4.2.0"}, {"fixed": "4.2.2"}]}, {"type": "SEMVER", "events": [{"introduced": "4.0.0"}, {"fixed": "4.1.7"}]}, {"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "3.6.12"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8"}]}