Back to CVE List

CVE-2026-1035

LOW SEVERITY

CVSS Score & Metrics

Base Score
3.1 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Vulnerability Description

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-367
Source
GitHub
Vendor
maven
Product
org.keycloak:keycloak-services

External References

Discussion (0)

Add Comment

No comments yet. Be the first!