Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Replay of consumed action tokens leading to unauthorized account access
Action: Patch Now
AI Analysis

Impact

The vulnerability is caused by the SingleUseObjectProvider in Keycloak lacking proper type and namespace isolation. An attacker able to delete arbitrary single‑use entries in the global key‑value store can replay consumed action tokens, such as password reset links, thereby bypassing the intended single‑use restriction. This flaw, an example of Improper restriction of capabilities (CWE‑653), can grant unauthorized access or compromise user accounts.

Affected Systems

Affects the Red Hat build of Keycloak versions 26.2, 26.2.15, 26.4, and 26.4.11 running on RHEL 9. The severity is moderate with a CVSS score of 5.3, and the vulnerability is not listed in the CISA KEV catalog. No publicly available exploit tools or code have been reported, and the EPSS score is not provided.

Risk and Exploitability

Exploitation requires the attacker to access the mechanism that deletes single-use entries, which may occur through privileged API calls or compromise of the underlying datastore. Because the flaw involves deletion rather than direct code execution, the attack vector is likely via internal or compromised accounts rather than remote unauthenticated access. The lack of a dedicated workaround indicates the most effective mitigation is to apply the released Red Hat security updates. Until a patch is in place, the risk remains moderate; monitoring for replayed tokens and restricting network access to Keycloak can reduce the likelihood of exploitation.

Generated by OpenCVE AI on April 2, 2026 at 22:59 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security updates RHSA-2026:6475 through RHSA-2026:6478 to upgrade Keycloak to a patched version.
  • If an update cannot be applied immediately, limit network exposure to the Keycloak instance and enforce strict access controls to the underlying datastore.
  • Monitor authentication logs for repeated use of the same action token and investigate any unauthorized password reset attempts.

Generated by OpenCVE AI on April 2, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rx66-hj7g-28h7 Keycloak: Replay of action tokens via improper handling of single-use entries
History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products Redhat build Of Keycloak
References

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
Title Keycloak: keycloak: replay of action tokens via improper handling of single-use entries
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-653
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-07T11:27:36.605Z

Reserved: 2026-03-17T12:43:33.403Z

Link: CVE-2026-4325

cve-icon Vulnrichment

Updated: 2026-04-02T13:17:11.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T13:16:26.863

Modified: 2026-04-16T20:51:22.663

Link: CVE-2026-4325

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T12:30:00Z

Links: CVE-2026-4325 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:48Z

Weaknesses