Description
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Published: 2026-01-21
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized issuance of access tokens via refresh token reuse bypass
Action: Apply Workaround
AI Analysis

Impact

A timing race condition exists in Keycloak’s TokenManager when strict refresh token rotation is enabled. The validation and update of a token’s usage are not performed atomically, allowing multiple concurrent refresh requests to bypass the single‑use rule and receive several new access tokens from the same refresh token. This flaw does not provide code execution or remote access, but it allows an attacker who has a valid refresh token to generate unlimited access tokens, effectively extending the lifetime of compromised credentials.

Affected Systems

Red Hat JBoss Enterprise Application Platform 8, the Red Hat JBoss Enterprise Application Platform Expansion Pack, Red Hat Single Sign‑On 7, and the Red Hat builds of Keycloak 26.4—including 26.4.11—are all affected when strict refresh token rotation is active. Systems running these products need to verify their configuration and version.

Risk and Exploitability

The CVSS base score of 3.1 indicates a low severity vulnerability, and the EPSS score is below 1 %, meaning exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker must already possess a valid refresh token and be able to issue multiple simultaneous refresh requests to trigger the race condition. Since the impact is limited to the issuance of additional access tokens, the risk is confined to environments where refresh tokens are exposed or reused; broader system compromise is not possible.

Generated by OpenCVE AI on April 16, 2026 at 07:52 UTC.

Remediation

Vendor Workaround

To mitigate this issue, configure the `refreshTokenMaxReuse` policy in Keycloak to a value greater than zero. This prevents the race condition by allowing a limited number of reuses for refresh tokens, thereby maintaining the integrity of the Refresh Token Rotation hardening measure. Consult Keycloak documentation for specific configuration instructions. Changes to Keycloak configuration typically require a service restart or redeployment to take effect.

OpenCVE Recommended Actions

  • Configure Keycloak’s "refreshTokenMaxReuse" policy to a value greater than zero to allow a controlled number of refresh token reuses and prevent the race condition.
  • Restart the Keycloak server or redeploy the application after changing the configuration so the new setting takes effect.
  • Up‑grade to the latest patched release of the Red Hat build of Keycloak (e.g., 26.4.11 or newer) when it becomes available to eliminate the flaw entirely.

Generated by OpenCVE AI on April 16, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2w5-7xhv-w6fh Keycloak does not validate and update refresh token usage atomically
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 21 Jan 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Title Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-367
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Redhat Build Keycloak Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:47:18.487Z

Reserved: 2026-01-16T07:03:59.680Z

Link: CVE-2026-1035

cve-icon Vulnrichment

Updated: 2026-01-21T14:40:46.720Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T06:15:46.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1035

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-21T00:00:00Z

Links: CVE-2026-1035 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:00:11Z

Weaknesses